Skip to main content

ISC BIND 9 EUVDEUVD-2026-31106

| CVE-2026-3592 MEDIUM
Incorrect Behavior Order: Early Amplification (CWE-408)
2026-05-20 isc GHSA-63mj-2fw3-4w3h
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
SUSE
MEDIUM
qualitative
Red Hat
5.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 20, 2026 - 13:34 vuln.today

DescriptionCVE.org

BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resources. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.

AnalysisAI

Amplified resource exhaustion in ISC BIND 9 resolvers enables remote unauthenticated attackers to cause disproportionate resource consumption by directing a victim resolver to query a specially crafted authoritative DNS zone. All major BIND 9 resolver branches are affected, spanning versions 9.11.x through 9.21.x including BIND 9 Supported (S1) variants, representing a broad deployment footprint across enterprise and ISP resolver infrastructure. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; ISC has released patched versions.

Technical ContextAI

BIND 9 is ISC's widely deployed DNS resolver and authoritative server implementation. This vulnerability is rooted in CWE-408 (Incorrect Behavior Order: Early Amplification), where a small or controlled input - in this case a resolver query directed at a crafted DNS zone - triggers resource consumption that is disproportionate to the initiating request. The amplification occurs during resolver processing of responses from a maliciously constructed authoritative zone, consuming excessive CPU, memory, or both before the resolver can bound or discard the work. The CPE string cpe:2.3:a:isc:bind_9:*:*:*:*:*:*:*:* confirms the affected product as ISC BIND 9 across all platform variants. The CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L indicates that exploitation is fully remote, requires no authentication or user interaction, and the impact is scoped to availability of the resolver itself with no confidentiality or integrity consequence.

RemediationAI

Upgrade to a patched ISC BIND 9 release immediately. Vendor-released patches: 9.18.49 (https://downloads.isc.org/isc/bind9/9.18.49), 9.20.23 (https://downloads.isc.org/isc/bind9/9.20.23), and 9.21.22 (https://downloads.isc.org/isc/bind9/9.21.22). Operators still on the end-of-life 9.11.x or 9.16.x branches should prioritize migration to 9.18.x or 9.20.x as no patched release is provided for those legacy branches. If immediate upgrading is not possible, consider restricting recursive resolution to known trusted clients via access control lists (ACLs) using the 'allow-recursion' directive, which limits the attack surface to clients who can influence which zones the resolver queries; note this does not eliminate the vulnerability for those permitted clients. Rate-limiting upstream query behavior using the 'resolver-query-timeout' or 'max-recursion-queries' tuning options may reduce the impact of resource amplification. These workarounds have trade-offs: ACL restrictions may break resolution for legitimate clients, and query throttling may increase latency. The ISC advisory at https://kb.isc.org/docs/cve-2026-3592 should be consulted for any additional ISC-recommended mitigations.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.5 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed

Share

EUVD-2026-31106 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy