Description
BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resources.
This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.
Published: 2026-05-20
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

BIND 9 resolvers can be abused to launch an amplified resource consumption attack when a resolver queries a specially crafted zone that contains self‑pointed glue records. The resolver will process the response and allocate disproportionately large amounts of memory and CPU, potentially leading to a denial of service. The weakness is classified as resource exhaustion (CWE‑408).

Affected Systems

ISC BIND 9 servers that run any of the following version ranges are affected: 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, the corresponding security releases 9.11.3‑S1 through 9.16.50‑S1, 9.18.11‑S1 through 9.18.48‑S1, and 9.20.9‑S1 through 9.20.22‑S1.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity that can affect availability. While no EPSS score is available, the lack of a KEV listing suggests limited, mitigated exploitation. The attack likely originates from a remote DNS client that can send queries to the resolver, which then processes an amplified response from a malicious zone. Network‑level defenses such as rate limiting or blocking self‑pointed glue records can reduce the impact, but the primary mitigation is to apply a vendor‑released patch.

Generated by OpenCVE AI on May 20, 2026 at 15:35 UTC.

Remediation

Vendor Solution

Upgrade to the patched release most closely related to your current version of BIND 9: 9.18.49, 9.20.23, 9.21.22, 9.18.49-S1, or 9.20.23-S1.

Vendor Workaround

No workarounds known.

OpenCVE Recommended Actions

  • Upgrade the BIND 9 software to a patched release such as 9.18.49, 9.20.23, 9.21.22, 9.18.49-S1, or 9.20.23-S1, depending on your current version.
  • Implement rate limiting on DNS query traffic to the resolver to mitigate potential amplification effects.
  • Configure the resolver to reject responses containing self‑pointed glue records from unauthorized zones.

Generated by OpenCVE AI on May 20, 2026 at 15:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6285-1 bind9 security update
History

Wed, 20 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 13:15:00 +0000

Type Values Removed Values Added
Description BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resources. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.
Title Amplification vulnerabilities via self-pointed glue records
First Time appeared Isc
Isc bind
Weaknesses CWE-408
CPEs cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*
Vendors & Products Isc
Isc bind
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Isc Bind
cve-icon MITRE

Status: PUBLISHED

Assigner: isc

Published:

Updated: 2026-05-20T13:42:21.764Z

Reserved: 2026-03-05T12:53:33.956Z

Link: CVE-2026-3592

cve-icon Vulnrichment

Updated: 2026-05-20T13:42:17.866Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-20T13:16:23.790

Modified: 2026-05-20T14:04:57.320

Link: CVE-2026-3592

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T15:45:33Z

Weaknesses