BIND 9 Vulnerabilities Allow Attackers to Bypass Security and Crash Servers

The Internet Systems Consortium (ISC) has disclosed three security vulnerabilities in BIND 9, one of the most widely deployed Domain Name System (DNS) software suites, exposing servers to denial-of-service (DoS) attacks, crashes, and access control bypass.

Publicly announced on March 25, 2026, the flaws impact both DNS resolvers and authoritative servers.

If exploited, attackers could degrade DNS performance, disrupt services, or gain unauthorized access depending on server configuration.

The most severe issue, tracked as CVE-2026-1519, carries a high CVSS score of 7.5 and enables a denial-of-service condition through excessive CPU consumption.

The vulnerability is triggered when a BIND resolver performs DNSSEC validation on a specially crafted malicious zone.

This forces the server to process a large number of NSEC3 iterations, significantly increasing CPU usage and reducing the system’s ability to respond to legitimate DNS queries.

Although disabling DNSSEC validation can prevent exploitation, security experts strongly discourage this workaround because it weakens DNS integrity protections. Instead, administrators are advised to apply the official patches.

A second flaw, CVE-2026-3119 (CVSS 6.5), can cause the named server process to crash when handling a valid DNS query containing a TKEY record.

Exploitation requires the attacker to possess a valid Transaction Signature (TSIG) key already configured on the server.

While this limits the attack surface, compromised or mismanaged keys could still be abused. As a temporary mitigation, administrators should audit and remove unnecessary or untrusted TSIG keys.

The third vulnerability, CVE-2026-3591 (CVSS 5.4), is a stack use-after-return issue in SIG(0) handling.

This flaw allows attackers to bypass Access Control Lists (ACLs) by sending specially crafted DNS requests that manipulate IP address matching.

In environments using default-allow ACL configurations, this could result in unauthorized access to restricted resources. ISC has confirmed that no workaround exists for this issue, making patching essential.

Affected versions span multiple BIND 9 branches, including:

• CVE-2026-1519: Versions 9.11.0–9.16.50, 9.18.0–9.18.46, 9.20.0–9.20.20, 9.21.0–9.21.19
• CVE-2026-3119 and CVE-2026-3591: Versions 9.20.0–9.20.20 and 9.21.0–9.21.19

ISC has released patched versions to address these vulnerabilities, including 9.18.47, 9.20.21, and 9.21.20.

Users of the BIND Supported Preview Edition are also advised to apply the corresponding S1 updates immediately.

At the time of disclosure, there is no evidence of active exploitation in the wild. However, given BIND’s critical role in global internet infrastructure, these vulnerabilities present a significant risk if left unpatched.

Security teams and network administrators are strongly urged to verify their deployed BIND versions and upgrade to the latest patched releases without delay.

Proactive patch management and configuration reviews remain essential to maintaining resilient and secure DNS operations.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post BIND 9 Vulnerabilities Allow Attackers to Bypass Security and Crash Servers appeared first on Cyber Security News.