BIND 9 Security Alert: ISC Releases Patches for Trio of Vulnerabilities

The Internet Systems Consortium (ISC) has issued an important security advisory for BIND 9, the world’s most widely used DNS software. The update addresses three distinct vulnerabilities that could allow attackers to bypass security controls, crash servers, or trigger a denial-of-service (DoS) state through resource exhaustion.

Administrators are encouraged to review their current versions and apply the necessary patches to maintain the integrity and availability of their DNS infrastructure.

The first flaw, identified as CVE-2026-3591, involves a “stack use-after-return” error in how BIND handles SIG(0) signed queries. This technical glitch can lead to a serious breakdown in access control.

“Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly (mis) match an IP address.”

If you are using a “default-allow” Access Control List (ACL)—where you specifically block certain bad actors but allow everyone else—this bug could let a blocked IP address slip through the cracks. Both authoritative servers and resolvers are at risk.

CVE-2026-1519 is a high-severity (CVSS 7.5) vulnerability that targets BIND resolvers performing DNSSEC validation. By pointing a resolver toward a maliciously crafted zone with excessive NSEC3 iterations, an attacker can force the server to work overtime.The impact is immediate and disruptive:

• The resolver may experience “excessive CPU consumption and a sharp decrease in the number of queries per second that it can handle”.
• While resolvers are the primary target, authoritative servers might be affected if they are configured to make recursive queries.

Finally, CVE-2026-3119 describes a flaw where “named may crash when processing a correctly signed query containing a TKEY record”. Interestingly, this exploit requires a level of trust; it can only be triggered by an incoming request that already has a valid transaction signature (TSIG) from a key known to the server.

If successfully exploited, the BIND process (named) will “terminate unexpectedly,” resulting in a service outage.

The following table outlines the affected versions and the corresponding fixed versions provided by the ISC:

Vulnerability	Affected Versions	Patched Versions
CVE-2026-3591 (ACL Bypass)	9.20.0 – 9.20.20, 9.21.0 – 9.21.19	9.20.21, 9.21.20
CVE-2026-1519 (CPU Load)	9.11.0 – 9.16.50, 9.18.0 – 9.18.46, 9.20.x, 9.21.x	9.18.47, 9.20.21, 9.21.20
CVE-2026-3119 (TKEY Crash)	9.20.0 – 9.20.20, 9.21.0 – 9.21.19	9.20.21, 9.21.20

The ISC’s primary recommendation is to “Upgrade to the patched release most closely related to your current version of BIND 9″.

For those unable to patch immediately, temporary workarounds include removing unnecessary TSIG keys for the TKEY crash or disabling DNSSEC validation to prevent the CPU exhaustion—though the ISC notes that disabling DNSSEC “is not recommended” due to the security trade-offs.