CVE-2026-1519: CWE-606 Unchecked Input for Loop Condition in ISC BIND 9
If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries). This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.
AI Analysis
Technical Summary
This vulnerability in ISC BIND 9 involves unchecked input for a loop condition (CWE-606) during DNSSEC validation by a resolver. When encountering a maliciously crafted DNS zone, the resolver may consume excessive CPU resources, leading to potential denial of service. The affected versions include BIND 9 releases from 9.11.0 to 9.21.19 and their S1 variants. Authoritative-only servers are mostly unaffected unless they perform recursive queries. The CVSS 3.1 base score is 7.5, indicating high severity, with network attack vector, low attack complexity, no privileges required, no user interaction, and impact limited to availability (CPU exhaustion).
Potential Impact
The primary impact is excessive CPU consumption on BIND 9 resolvers performing DNSSEC validation when processing maliciously crafted zones. This can degrade resolver performance or cause denial of service conditions. There is no impact on confidentiality or integrity. Authoritative-only servers are generally unaffected unless they issue recursive queries, which is uncommon but possible. No known exploits have been reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the ISC vendor advisory for current remediation guidance. In the absence of an official fix, consider limiting exposure of vulnerable BIND 9 resolvers to untrusted zones or networks. Monitor ISC communications for updates on patches or workarounds. Since authoritative-only servers are generally unaffected, focus mitigation efforts on recursive resolvers performing DNSSEC validation.
CVE-2026-1519: CWE-606 Unchecked Input for Loop Condition in ISC BIND 9
Description
If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries). This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in ISC BIND 9 involves unchecked input for a loop condition (CWE-606) during DNSSEC validation by a resolver. When encountering a maliciously crafted DNS zone, the resolver may consume excessive CPU resources, leading to potential denial of service. The affected versions include BIND 9 releases from 9.11.0 to 9.21.19 and their S1 variants. Authoritative-only servers are mostly unaffected unless they perform recursive queries. The CVSS 3.1 base score is 7.5, indicating high severity, with network attack vector, low attack complexity, no privileges required, no user interaction, and impact limited to availability (CPU exhaustion).
Potential Impact
The primary impact is excessive CPU consumption on BIND 9 resolvers performing DNSSEC validation when processing maliciously crafted zones. This can degrade resolver performance or cause denial of service conditions. There is no impact on confidentiality or integrity. Authoritative-only servers are generally unaffected unless they issue recursive queries, which is uncommon but possible. No known exploits have been reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the ISC vendor advisory for current remediation guidance. In the absence of an official fix, consider limiting exposure of vulnerable BIND 9 resolvers to untrusted zones or networks. Monitor ISC communications for updates on patches or workarounds. Since authoritative-only servers are generally unaffected, focus mitigation efforts on recursive resolvers performing DNSSEC validation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- isc
- Date Reserved
- 2026-01-28T09:54:49.514Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c3eaa6f4197a8e3b5259e4
Added to database: 3/25/2026, 2:01:10 PM
Last enriched: 4/13/2026, 11:14:54 AM
Last updated: 5/10/2026, 1:31:04 AM
Views: 81
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.