Skip to main content

Bind 9 CVE-2026-1519

| EUVDEUVD-2026-15406 HIGH
Unchecked Input for Loop Condition (CWE-606)
2026-03-25 isc GHSA-84m6-p53c-x4wp
7.5
CVSS 3.1 · Vendor: isc
Share

Severity by source

Vendor (isc) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM
qualitative
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (isc).

CVSS VectorVendor: isc

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
PoC Detected
Mar 25, 2026 - 15:41 vuln.today
Public exploit code
EUVD ID Assigned
Mar 25, 2026 - 14:00 euvd
EUVD-2026-15406
Analysis Generated
Mar 25, 2026 - 14:00 vuln.today
Patch released
Mar 25, 2026 - 14:00 nvd
Patch available
CVE Published
Mar 25, 2026 - 13:25 nvd
HIGH 7.5

DescriptionCVE.org

If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries). This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.

AnalysisAI

BIND resolver servers performing DNSSEC validation can be forced into excessive CPU consumption when encountering a maliciously crafted DNS zone, resulting in denial of service. The vulnerability affects BIND 9 versions from 9.11.0 through current versions across multiple branches (9.16.50, 9.18.46, 9.20.20, 9.21.19) including BIND Supported Preview Edition variants. The CVSS score of 7.5 indicates high availability impact with network-based exploitation requiring no authentication, though no active exploitation (KEV) or proof-of-concept availability has been indicated in the provided data.

Technical ContextAI

BIND (Berkeley Internet Name Domain) is the most widely deployed DNS server software on the Internet, developed and maintained by the Internet Systems Consortium (ISC). This vulnerability specifically affects BIND 9 resolver configurations performing DNSSEC (DNS Security Extensions) validation, which cryptographically verifies DNS responses to prevent tampering. The issue is classified as CWE-606 (Unchecked Input for Loop Condition), suggesting that malformed zone data can trigger algorithmic complexity attacks or unbounded processing loops during the DNSSEC validation process. The affected CPE is cpe:2.3:a:isc:bind_9:*:*:*:*:*:*:*:*, encompassing all BIND 9 resolver deployments. While authoritative-only servers are generally unaffected, they may be vulnerable in configurations where they perform recursive queries for specific operational scenarios such as zone transfers, NOTIFY processing, or catalog zones.

RemediationAI

Upgrade BIND 9 installations immediately to patched versions: 9.18.47 or later (available at https://downloads.isc.org/isc/bind9/9.18.47), 9.20.21 or later (available at https://downloads.isc.org/isc/bind9/9.20.21), or 9.21.20 or later (available at https://downloads.isc.org/isc/bind9/9.21.20) depending on the currently deployed branch. Organizations using BIND Supported Preview Edition should apply corresponding -S1 versions. For environments where immediate patching is not feasible, consider temporarily disabling DNSSEC validation using the 'dnssec-validation no;' configuration directive, though this significantly reduces DNS security posture and should only be used as a short-term workaround until patches can be applied. Implement monitoring for abnormal CPU utilization on DNS resolver servers to detect potential exploitation attempts. Review authoritative server configurations per https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries to ensure they are not unintentionally performing recursive operations that could expose them to this vulnerability.

Vendor StatusVendor

Ubuntu

Priority: Medium
bind9
Release Status Version
trusty needs-triage -
xenial needs-triage -
bionic needs-triage -
focal needs-triage -
upstream released 9.18.47,9.20.21,9.21.20
jammy released 1:9.18.39-0ubuntu0.22.04.3
noble released 1:9.18.39-0ubuntu0.24.04.3
questing released 1:9.20.11-1ubuntu2.2
isc-dhcp
Release Status Version
trusty not-affected code not present
xenial not-affected code not present
bionic needs-triage -
focal not-affected code not present
jammy not-affected code not present
noble needs-triage -
questing needs-triage -
upstream needs-triage -
bind9-libs
Release Status Version
focal needs-triage -
jammy needs-triage -
noble DNE -
questing DNE -
upstream needs-triage -

Debian

bind9
Release Status Fixed Version Urgency
bullseye vulnerable 1:9.16.50-1~deb11u2 -
bullseye (security) vulnerable 1:9.16.50-1~deb11u4 -
bookworm vulnerable 1:9.18.41-1~deb12u1 -
bookworm (security) vulnerable 1:9.18.44-1~deb12u1 -
trixie, trixie (security) vulnerable 1:9.20.18-1~deb13u1 -
forky vulnerable 1:9.20.20-1 -
sid vulnerable 1:9.20.21-1 -
(unstable) fixed (unfixed) -

SUSE

Severity: High
Product Status
SUSE Manager Client Tools for SLE Micro 5 Fixed
SUSE Multi Linux Manager Tools SLE-Micro-5 Fixed
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected

Share

CVE-2026-1519 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy