The Internet Systems Consortium (ISC) has released critical security advisories addressing three new vulnerabilities in the widely used BIND 9 Domain Name System (DNS) software suite.
If left unpatched, remote attackers could exploit these weaknesses to bypass access control lists, consume excessive system resources, or crash DNS servers entirely.
Network administrators must apply the provided patches immediately to secure their infrastructure, as these issues affect both authoritative servers and DNS resolvers.
Publicly disclosed by ISC on March 25, 2026, these flaws present serious risks for network administrators.
High CPU Load and Server Crashes
The most critical of the three vulnerabilities is CVE-2026-1519, a high-severity flaw that can cause a Denial of Service (DoS) condition.
When a BIND resolver performs DNSSEC validation on a maliciously crafted zone, it triggers excessive NSEC3 iterations.
This process consumes heavy CPU resources and sharply decreases the number of queries the server can handle.
While disabling DNSSEC validation prevents this issue, security experts strongly advise against using this workaround.
Another medium-severity vulnerability, tracked as CVE-2026-3119, causes the named server process to crash unexpectedly.
This occurs when the server processes a correctly signed query containing a TKEY record. To successfully exploit this flaw, an attacker must possess a valid transaction signature (TSIG) from a key already declared in the server’s configuration.
Administrators can temporarily mitigate this risk by identifying and removing any compromised or unnecessary TSIG keys.
The third vulnerability, CVE-2026-3591, is a medium-severity stack use-after-return flaw found in the SIG(0) handling code.
By sending a specially crafted DNS request, an attacker can manipulate the server into improperly matching an IP address against its Access Control List (ACL).
If a network relies on a default-allow ACL, this flaw could grant unauthorized access to restricted areas.
There are no known workarounds for this specific vulnerability, making direct patching the only solution.
| CVE ID | CVSS Score | Severity | Impact | Affected Versions |
|---|---|---|---|---|
| CVE-2026-1519 | 7.5 | High | High CPU Load (DoS) | 9.11.0 to 9.16.50, 9.18.0 to 9.18.46, 9.20.0 to 9.20.20, 9.21.0 to 9.21.19 |
| CVE-2026-3119 | 6.5 | Medium | Server Crash (DoS) | 9.20.0 to 9.20.20, 9.21.0 to 9.21.19 |
| CVE-2026-3591 | 5.4 | Medium | ACL Bypass | 9.20.0 to 9.20.20, 9.21.0 to 9.21.19 |
Currently, the ISC is not aware of any active exploits for these vulnerabilities in the wild.
However, given the potential impact on global DNS operations, organizations should prioritize upgrading their software to the latest patched releases.
The ISC has issued updates across its supported branches to address these vulnerabilities completely.
Depending on the current deployment, users should transition to patched versions 9.18.47, 9.20.21, or 9.21.20.
Furthermore, eligible customers using the BIND Supported Preview Edition should apply the corresponding S1 patches immediately to maintain secure and stable DNS operations.
Administrators are encouraged to verify their active branch and apply the appropriate update to prevent exploitation.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
