Description
BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resources.
This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.
Published: 2026-05-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

BIND 9 resolvers can be abused to launch an amplified resource consumption attack when a resolver queries a specially crafted zone that contains self‑pointed glue records. The resolver processes the unusual response, allocating disproportionate amounts of memory and CPU, which can overwhelm the server. The weakness involves resource exhaustion (CWE‑408) and an out‑of‑memory condition (CWE‑770).

Affected Systems

ISC BIND 9 servers that run any of the following version ranges are affected: 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, the corresponding security releases 9.11.3‑S1 through 9.16.50‑S1, 9.18.11‑S1 through 9.18.48‑S1, and 9.20.9‑S1 through 9.20.22‑S1.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity affecting availability. The EPSS score of less than 1% implies that the likelihood of exploitation is very low, and the vulnerability is not listed in CISA KEV, suggesting limited real‑world attacks. The likely attack vector involves a remote DNS client that sends queries to a resolver for a specially crafted zone containing self‑pointed glue records; the resolver processes the amplified response, consuming excessive memory and CPU and potentially exhausting system resources. While the weakness involves resource exhaustion (CWE‑408) and an out‑of‑memory condition (CWE‑770), network‑level defenses such as rate limiting or blocking self‑pointed glue records can mitigate the impact, but the most effective mitigation is to apply the vendor‑released patch.

Generated by OpenCVE AI on May 26, 2026 at 15:35 UTC.

Remediation

Vendor Solution

Upgrade to the patched release most closely related to your current version of BIND 9: 9.18.49, 9.20.23, 9.21.22, 9.18.49-S1, or 9.20.23-S1.

Vendor Workaround

No workarounds known.

OpenCVE Recommended Actions

  • Upgrade the BIND 9 software to a patched release such as 9.18.49, 9.20.23, 9.21.22, 9.18.49‑S1, or 9.20.23‑S1, depending on your current version.
  • Implement rate limiting on DNS query traffic to the resolver to reduce the impact of potential amplification.
  • Configure the resolver to reject responses containing self‑pointed glue records from unauthorized zones or disable such records in the zones you control.

Generated by OpenCVE AI on May 26, 2026 at 15:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6285-1 bind9 security update
Ubuntu USN Ubuntu USN USN-8293-1 Bind vulnerabilities
History

Tue, 26 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 21 May 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:*

Wed, 20 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 13:15:00 +0000

Type Values Removed Values Added
Description BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resources. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.
Title Amplification vulnerabilities via self-pointed glue records
First Time appeared Isc
Isc bind
Weaknesses CWE-408
CPEs cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*
Vendors & Products Isc
Isc bind
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Isc Bind
cve-icon MITRE

Status: PUBLISHED

Assigner: isc

Published:

Updated: 2026-05-20T13:42:21.764Z

Reserved: 2026-03-05T12:53:33.956Z

Link: CVE-2026-3592

cve-icon Vulnrichment

Updated: 2026-05-20T13:42:17.866Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-20T13:16:23.790

Modified: 2026-05-21T15:24:25.007

Link: CVE-2026-3592

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-26T03:44:20Z

Links: CVE-2026-3592 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T15:45:08Z

Weaknesses
  • CWE-408

    Incorrect Behavior Order: Early Amplification

  • CWE-770

    Allocation of Resources Without Limits or Throttling