CVE-2026-1519

Summary

If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries). This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.

Affected Software

VendorProductVersion RangeStatus
ISCBIND 99.11.0 <= 9.16.50affected
ISCBIND 99.18.0 <= 9.18.46affected
ISCBIND 99.20.0 <= 9.20.20affected
ISCBIND 99.21.0 <= 9.21.19affected
ISCBIND 99.11.3-S1 <= 9.16.50-S1affected
ISCBIND 99.18.11-S1 <= 9.18.46-S1affected
ISCBIND 99.20.9-S1 <= 9.20.20-S1affected

Weaknesses

  • CWE-606: CWE-606 Unchecked Input for Loop Condition

Workarounds

This is not recommended, but disabling DNSSEC (dnssec-validation no;) prevents exploitation of this issue.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

CVE Program Container

Additional References

bind: BIND: Denial of Service via maliciously crafted DNSSEC-validated zone

Additional References

References