BIND 9 DNSSEC Zone Crafting CPU Exhaustion (9.11-9.21)
CVE-2026-1519 Published on March 25, 2026
Excessive NSEC3 iterations cause high CPU load during insecure delegation validation
If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries).
This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.
Vulnerability Analysis
CVE-2026-1519 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Weakness Type
Unchecked Input for Loop Condition
The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping.
Products Associated with CVE-2026-1519
stack.watch emails you whenever new vulnerabilities are published in ISC BIND or Canonical Ubuntu Linux. Just hit a watch button to start following.
Affected Versions
ISC BIND 9:- Version 9.11.0, <= 9.16.50 is affected.
- Version 9.18.0, <= 9.18.46 is affected.
- Version 9.20.0, <= 9.20.20 is affected.
- Version 9.21.0, <= 9.21.19 is affected.
- Version 9.11.3-S1, <= 9.16.50-S1 is affected.
- Version 9.18.11-S1, <= 9.18.46-S1 is affected.
- Version 9.20.9-S1, <= 9.20.20-S1 is affected.