CVE-2026-1519 - Vulnerability Details

- Excessive NSEC3 iterations cause high CPU load during insecure delegation validation

Description

If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries).
This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.

Published: 2026-03-25

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises when a BIND resolver that validates DNSSEC encounters a malicious zone containing an excessive number of NSEC3 iterations. The resolver spends a large amount of CPU time processing the invalid NSEC3 proofs, which can exhaust server resources and lead to denial of service. This is a classic resource exhaustion flaw, reflected by CWE‑770. Only resolvers with DNSSEC validation enabled are vulnerable; authoritative‑only servers are normally unaffected unless they perform recursive queries.

Affected Systems

The affected product is ISC BIND 9. All releases from 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, and 9.21.0 through 9.21.19, as well as their security patch releases 9.11.3‑S1 through 9.16.50‑S1, 9.18.11‑S1 through 9.18.46‑S1, and 9.20.9‑S1 through 9.20.20‑S1 are impacted.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. Though the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, the high CVSS coupled with the availability of a malicious zone makes exploitation plausible. Attackers can remotely trigger the issue by making the resolver query a crafted zone while DNSSEC validation is active, causing CPU exhaustion. The community recommends upgrading to the patched releases or, as a temporary measure, disabling DNSSEC validation to mitigate the risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ISC

BIND 9

unaffected

Version	Status	Constraints
`9.11.0`	affected	≤ 9.16.50
`9.18.0`	affected	≤ 9.18.46
`9.20.0`	affected	≤ 9.20.20
`9.21.0`	affected	≤ 9.21.19
`9.11.3-S1`	affected	≤ 9.16.50-S1
`9.18.11-S1`	affected	≤ 9.18.46-S1
`9.20.9-S1`	affected	≤ 9.20.20-S1

No data.

Vendor Product Confidence Versions

Isc

Bind

90%

Version	Status	Scheme	Platform
`[9.11.0,9.16.50]`	affected	semver	—
`[9.18.0,9.18.46]`	affected	semver	—
`[9.20.0,9.20.20]`	affected	semver	—
`[9.21.0,9.21.19]`	affected	semver	—
`[9.11.3-S1,9.16.50-S1]`	affected	semver	—
`[9.18.11-S1,9.18.46-S1]`	affected	semver	—
`[9.20.9-S1,9.20.20-S1]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Upgrade to the patched release most closely related to your current version of BIND 9: 9.18.47, 9.20.21, 9.21.20, 9.18.47-S1, or 9.20.21-S1.

Vendor Workaround

This is not recommended, but disabling DNSSEC (`dnssec-validation no;`) prevents exploitation of this issue.

OpenCVE Recommended Actions

Upgrade to the patched release most closely related to your current version of BIND 9 (9.18.47, 9.20.21, 9.21.20, 9.18.47‑S1, or 9.20.21‑S1).
If an upgrade is not immediately possible, disable DNSSEC validation with the directive dnssec‑validation no;.
After applying the fix or workaround, monitor CPU usage to confirm that the vulnerability is no longer exercised.

Generated by OpenCVE AI on March 26, 2026 at 03:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4529-1	bind9 security update
Debian DSA	DSA-6181-1	bind9 security update
Ubuntu USN	USN-8124-1	Bind vulnerabilities

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00032.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://downloads.isc.org/isc/bind9/9.18.47
https://downloads.isc.org/isc/bind9/9.20.21
https://downloads.isc.org/isc/bind9/9.21.20
https://kb.isc.org/docs/cve-2026-1519
https://lists.debian.org/debian-lts-announce/2026/04/msg00008.html
https://nvd.nist.gov/vuln/detail/CVE-2026-1519
https://www.cve.org/CVERecord?id=CVE-2026-1519

History

Mon, 13 Apr 2026 10:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2026/04/msg00008.html

Thu, 26 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-770
References		https://nvd.nist.gov/vuln/detail/CVE-2026-1519 https://www.cve.org/CVERecord?id=CVE-2026-1519
Metrics	threat_severity `None`	threat_severity `Important`

Wed, 25 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 25 Mar 2026 14:00:00 +0000

Type	Values Removed	Values Added
Description		If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries). This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.
Title		Excessive NSEC3 iterations cause high CPU load during insecure delegation validation
First Time appeared		Isc Isc bind
Weaknesses		CWE-606
CPEs		cpe:2.3:a:isc:bind::::::::
Vendors & Products		Isc Isc bind
References		https://downloads.isc.org/isc/bind9/9.18.47 https://downloads.isc.org/isc/bind9/9.20.21 https://downloads.isc.org/isc/bind9/9.21.20 https://kb.isc.org/docs/cve-2026-1519
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Isc Bind

MITRE

Status: PUBLISHED

Assigner: isc

Published: 2026-03-25T13:25:19.802Z

Updated: 2026-04-13T09:35:57.526Z

Reserved: 2026-01-28T09:54:49.514Z

Link: CVE-2026-1519

Vulnrichment

Updated: 2026-04-13T09:35:57.526Z

NVD

Status : Awaiting Analysis

Published: 2026-03-25T14:16:33.110

Modified: 2026-04-13T10:16:11.147

Link: CVE-2026-1519

Redhat

Severity : Important

Publid Date: 2026-03-25T13:25:19Z

Links: CVE-2026-1519 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-26T12:13:27Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object