FHN 
The Internet Systems Consortium (ISC) has disclosed three new vulnerabilities in BIND 9, a widely used DNS software. These issues can allow attackers to bypass access controls, overload system resources, or even crash DNS servers if left unpatched.
Announced on March 25, 2026, the vulnerabilities impact both authoritative servers and DNS resolvers, making them a serious concern for organizations relying on BIND 9 for critical network operations. Administrators are strongly advised to apply patches immediately to avoid service disruption or unauthorized access.
CVE Breakdown and Security Impact
The most severe issue, CVE-2026-1519 (CVSS 7.5 – High), can lead to a Denial of Service. It is triggered when a resolver performs DNSSEC validation on a specially crafted zone, causing excessive NSEC3 processing. This results in high CPU usage and significantly reduces the server’s ability to handle queries. While disabling DNSSEC validation can reduce the impact, it is not recommended as it weakens security.
The second issue, CVE-2026-3119 (CVSS 6.5 – Medium), can cause the BIND “named” process to crash. This happens when handling a valid query containing a TKEY record. However, exploitation requires access to a trusted TSIG key already configured on the server. As a temporary measure, administrators should review and remove any unnecessary or potentially compromised TSIG keys.
The third vulnerability, CVE-2026-3591 (CVSS 5.4 – Medium), is related to improper memory handling in SIG(0) processing. A crafted DNS request can lead to incorrect ACL checks, potentially allowing unauthorized access in environments where permissive access rules are used. There are no effective workarounds for this issue, making patching essential.
Affected Versions and Fixes
These vulnerabilities impact multiple BIND 9 versions, including:
- 9.11.0 to 9.16.50
- 9.18.0 to 9.18.46
- 9.20.0 to 9.20.20
- 9.21.0 to 9.21.19
To address these issues, ISC has released patched versions:
- 9.18.47
- 9.20.21
- 9.21.20
Users of the BIND Supported Preview Edition should also apply the relevant S1 patches immediately.
At the time of disclosure, there are no confirmed reports of active exploitation. However, due to the potential impact on DNS infrastructure, organizations should prioritize updates, verify their deployed versions, and ensure proper monitoring to reduce risk.
About the Author
