CVEFinder.io

CVE-2026-1519

⚠️ high
🔍 Scan for this CVE
Summary

If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries). This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3

Description

If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries).
This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.

CVSS Score
7.5
High
EPSS Score
0.1
Exploit Probability
Published Date
2026-03-25
First Seen: 2026-03-26
📊 Relative Risk Intelligence

This CVE is Moderate Risk - more severe than 68.9% of all 329,778 vulnerabilities in our database.

#102,523
Above average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: Mar 25, 2026
🔍 Exploitation Status
None
No known exploits
⚙️ Automatable
YES
Can be exploited automatically
💥 Technical Impact
Partial
Limited system impact
🏆 Discovered By
ISC would like to thank Samy Medjahed/Ap4sh for bringing this vulnerability to our attention.
SSVC data provided by CISA
Last Modified 2026-05-21
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE IDs (Weakness Types)
CWE-606

📦 Affected Products 4

Vendor Product Status Affected Versions
isc bind Affected
> 9.11.0 < 9.16.50
isc bind Affected
> 9.18.0 < 9.18.47
isc bind Affected
> 9.20.0 < 9.20.21
isc bind Affected
> 9.21.0 < 9.21.20

🔗 References 5

https://downloads.isc.org/isc/bind9/9.18.47
Patch
https://downloads.isc.org/isc/bind9/9.20.21
Patch
https://downloads.isc.org/isc/bind9/9.21.20
Patch
https://kb.isc.org/docs/cve-2026-1519
Vendor Advisory
https://lists.debian.org/debian-lts-announce/2026/04...
Issue Tracking Third Party Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-3039 ⚠️ high 7.5 0.1 BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory ... 2026-05-20
CVE-2026-3592 🔶 medium 5.3 0.0 BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a quer... 2026-05-20
CVE-2026-3593 ⚠️ high 7.4 0.0 A use-after-free vulnerability exists within the DNS-over-HTTPS implementation. This issue affects BIND 9 versions 9.20.... 2026-05-20
CVE-2026-5946 ⚠️ high 7.5 0.1 Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`... 2026-05-20
CVE-2026-5947 ⚠️ high 7.5 0.0 Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incomi... 2026-05-20
CVE-2026-5950 🔶 medium 5.3 0.1 An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling ... 2026-05-20
These CVEs affect the same products