Fixed Intel
HIGH THREAT ALERT
Aggregated Intel
High
Industry NewsImpact: 72/10

BIND Updates Patch High-Severity Vulnerabilities

Specially crafted domains could be used to cause out-of-memory conditions, leading to memory leaks in the BIND resolvers.

FIFixed Intel Team||2 min read|3 Views
BIND Updates Patch High-Severity Vulnerabilities

AI-Generated Summary

ISC released BIND 9 updates addressing four vulnerabilities, including two high-severity flaws (CVE-2026-3104 and CVE-2026-1519) that can cause denial-of-service through memory leaks and excessive CPU consumption during DNSSEC operations. Two medium-severity vulnerabilities (CVE-2026-3119 and CVE-2026-3591) were also patched, with the latter potentially allowing ACL bypass via crafted DNS requests. Patches are available in BIND versions 9.18.47, 9.20.21, and 9.21.20, with no known active exploitation reported.

Affected Sectors

GovernmentTelecommunicationsInternet Service ProvidersFinancial ServicesHealthcareTechnologyCritical Infrastructure

Frameworks

NCA-ECCISO27001NIST CSFNIST SP 800-53CIS Controls

Aggregated from SecurityWeek

This article was automatically aggregated from an external source. Content may be summarized.

Read Original

Full Analysis

Internet Systems Consortium (ISC) on Wednesday rolled out a fresh round of BIND 9 updates to resolve four vulnerabilities, including two high-severity bugs.

Tracked as CVE-2026-3104, the first high-severity flaw is described as a memory leak issue impacting code preparing DNSSEC proofs of non-existence.

The security defect can be exploited via crafted domains to cause a memory leak in BIND resolvers. Authoritative servers may not be impacted, ISC notes in its advisory.

“If a BIND resolver is asked to query a specially crafted domain, memory will not be recovered by named. This can cause unbounded growth of Resident Set Size (RSS) memory, which may lead to an out-of-memory condition. Additionally, named will exit with an assertion failure if a shutdown or reload is attempted,” ISC explains.

The second high-severity vulnerability patched in the DNS software suite is CVE-2026-1519, which can lead to high CPU consumption when the resolver encounters a maliciously crafted zone during DNSSEC validation. This could lead to a sharp decrease in the number of handled queries.

While not recommended, disabling DNSSEC prevents the exploitation of this vulnerability, ISC notes.

Advertisement. Scroll to continue reading.

Exploitation of both CVE-2026-3104 and CVE-2026-1519 can lead to denial of service (DoS), according to an advisory from Ubuntu, which provides BIND packages to its users. 

The first medium-severity flaw addressed in the latest BIND releases is CVE-2026-3119, which could lead to unexpected named termination during the processing of a query containing a TKEY record.

The second is CVE-2026-3591, a use-after-return flaw in SIG(0) handling code that could lead to ACL bypass. The issue can be exploited via specially crafted DNS requests.

Patches for these security defects were included in BIND versions 9.18.47, 9.20.21, and 9.21.20, and in BIND Supported Preview Edition versions 9.18.47-S1 and 9.20.21-S1.

ISC says it is not aware of any of these vulnerabilities being exploited in the wild. Additional information can be found on its software updates page.

Related: Cisco Patches Multiple Vulnerabilities in IOS Software

Related: iOS, macOS 26.4 Roll Out With Fresh Security Patches

Related: Chrome 146 Update Patches High-Severity Vulnerabilities

Related: QNAP Patches Four Vulnerabilities Exploited at Pwn2Own

Originally published by SecurityWeek

Original Source

SecurityWeek