CVE-2026-1519
CPU Exhaustion Vulnerability in BIND DNSSEC-Validating Resolvers
Publication date: 2026-03-25
Last updated on: 2026-04-13
Assigner: Internet Systems Consortium (ISC)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| isc | bind | 9.11.0 |
| isc | bind | 9.16.50 |
| isc | bind | 9.18.0 |
| isc | bind | 9.18.46 |
| isc | bind | 9.20.0 |
| isc | bind | 9.20.20 |
| isc | bind | 9.21.0 |
| isc | bind | 9.21.19 |
| isc | bind | 9.11.3-s1 |
| isc | bind | 9.16.50-s1 |
| isc | bind | 9.18.11-s1 |
| isc | bind | 9.18.46-s1 |
| isc | bind | 9.20.9-s1 |
| isc | bind | 9.20.20-s1 |
| isc | bind | 9.18.47 |
| isc | bind | 9.20.21 |
| isc | bind | 9.21.20 |
| isc | bind | 9.18.47-s1 |
| isc | bind | 9.20.21-s1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-606 | The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in BIND DNS resolvers that perform DNSSEC validation. When the resolver encounters a maliciously crafted DNS zone, it may consume excessive CPU resources. This can lead to performance degradation or denial of service conditions on the affected resolver.
Authoritative-only servers are generally not affected by this issue, although there are some cases where authoritative servers may perform recursive queries and thus could be impacted.
How can this vulnerability impact me? :
The primary impact of this vulnerability is excessive CPU consumption on BIND DNS resolvers performing DNSSEC validation when processing maliciously crafted zones. This can degrade the performance of the DNS resolver, potentially leading to denial of service or reduced availability of DNS resolution services.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability causes excessive CPU consumption leading to denial of service conditions on affected BIND resolvers, but it does not impact confidentiality or integrity of data.
Since the CVE description and resources indicate no loss or compromise of confidential or personal data, there is no direct indication that this vulnerability affects compliance with standards like GDPR or HIPAA.
However, denial of service could indirectly affect availability requirements under such regulations if critical DNS resolution services are disrupted.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability causes a BIND resolver performing DNSSEC validation to consume excessive CPU resources when processing a maliciously crafted zone. Detection can involve monitoring CPU usage on your DNS resolver for unusually high loads during DNSSEC validation.
While no specific detection commands are provided in the resources, you can monitor CPU usage on your system using standard tools such as 'top' or 'htop' on Linux systems to identify abnormal CPU consumption by the BIND process.
Additionally, you can check your BIND version to determine if it is within the affected versions by running the command: `named -v`.
Since the vulnerability is triggered by DNSSEC validation of malicious zones, monitoring DNS query logs for unusual or excessive DNSSEC-related queries might also help in detection.
What immediate steps should I take to mitigate this vulnerability?
The definitive mitigation is to upgrade BIND to patched versions: 9.18.47, 9.20.21, 9.21.20, or the corresponding Supported Preview Editions 9.18.47-S1 and 9.20.21-S1.
As a temporary workaround, you can disable DNSSEC validation by setting `dnssec-validation no;` in your BIND configuration. However, this is not recommended due to the security implications of disabling DNSSEC validation.
Monitoring your DNS resolver's CPU usage and query processing capacity can help you identify if the vulnerability is being exploited while you apply the fix.