CVE-2026-1519
Analyzed Analyzed - Analysis Complete
CPU Exhaustion Vulnerability in BIND DNSSEC-Validating Resolvers

Publication date: 2026-03-25

Last updated on: 2026-05-21

Assigner: Internet Systems Consortium (ISC)

Description
If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries). This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-05-21
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1519
EUVD
EUVD-2026-15406
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
isc bind From 9.11.0 (inc) to 9.16.50 (inc)
isc bind From 9.20.0 (inc) to 9.20.21 (exc)
isc bind From 9.21.0 (inc) to 9.21.20 (exc)
isc bind From 9.18.0 (inc) to 9.18.47 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-606 The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in BIND DNS resolvers that perform DNSSEC validation. When the resolver encounters a maliciously crafted DNS zone, it may consume excessive CPU resources. This can lead to performance degradation or denial of service conditions on the affected resolver.

Authoritative-only servers are generally not affected by this issue, although there are some cases where authoritative servers may perform recursive queries and thus could be impacted.

Impact Analysis

The primary impact of this vulnerability is excessive CPU consumption on BIND DNS resolvers performing DNSSEC validation when processing maliciously crafted zones. This can degrade the performance of the DNS resolver, potentially leading to denial of service or reduced availability of DNS resolution services.

Compliance Impact

The vulnerability causes excessive CPU consumption leading to denial of service conditions on affected BIND resolvers, but it does not impact confidentiality or integrity of data.

Since the CVE description and resources indicate no loss or compromise of confidential or personal data, there is no direct indication that this vulnerability affects compliance with standards like GDPR or HIPAA.

However, denial of service could indirectly affect availability requirements under such regulations if critical DNS resolution services are disrupted.

Detection Guidance

This vulnerability causes a BIND resolver performing DNSSEC validation to consume excessive CPU resources when processing a maliciously crafted zone. Detection can involve monitoring CPU usage on your DNS resolver for unusually high loads during DNSSEC validation.

While no specific detection commands are provided in the resources, you can monitor CPU usage on your system using standard tools such as 'top' or 'htop' on Linux systems to identify abnormal CPU consumption by the BIND process.

Additionally, you can check your BIND version to determine if it is within the affected versions by running the command: `named -v`.

Since the vulnerability is triggered by DNSSEC validation of malicious zones, monitoring DNS query logs for unusual or excessive DNSSEC-related queries might also help in detection.

Mitigation Strategies

The definitive mitigation is to upgrade BIND to patched versions: 9.18.47, 9.20.21, 9.21.20, or the corresponding Supported Preview Editions 9.18.47-S1 and 9.20.21-S1.

As a temporary workaround, you can disable DNSSEC validation by setting `dnssec-validation no;` in your BIND configuration. However, this is not recommended due to the security implications of disabling DNSSEC validation.

Monitoring your DNS resolver's CPU usage and query processing capacity can help you identify if the vulnerability is being exploited while you apply the fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1519. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart