cbcvebase.
CVE-2026-1519
published 2026-03-25

CVE-2026-1519: If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only…

high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries). This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.

Affected

25 ranges
VendorProductVersion rangeFixed in
debianbind9< bind9 1:9.18.47-1~deb12u1 (bookworm)bind9 1:9.18.47-1~deb12u1 (bookworm)
iscbind>= 0 < 9.18.47-r09.18.47-r0
iscbind>= 0 < 9.18.47-r09.18.47-r0
iscbind>= 0 < 9.20.21-r09.20.21-r0
iscbind>= 0 < 9.20.21-r09.20.21-r0
iscbind9.11.0 – 9.16.50
iscbind>= 9.18.0 < 9.18.479.18.47
iscbind>= 9.20.0 < 9.20.219.20.21
iscbind>= 9.21.0 < 9.21.209.21.20
iscbind9>= 0 < 1:9.18.47-1~deb12u11:9.18.47-1~deb12u1
iscbind9>= 0 < 1:9.20.21-1~deb13u11:9.20.21-1~deb13u1
iscbind9>= 0 < 1:9.20.21-11:9.20.21-1
iscbind9>= 0 < 1:9.18.39-0ubuntu0.22.04.31:9.18.39-0ubuntu0.22.04.3
iscbind9>= 0 < 1:9.18.39-0ubuntu0.24.04.31:9.18.39-0ubuntu0.24.04.3
iscbind9>= 0 < 1:9.20.11-1ubuntu2.21:9.20.11-1ubuntu2.2
iscbind_99.11.0 – 9.16.50
iscbind_99.11.3-S1 – 9.16.50-S1
iscbind_99.18.0 – 9.18.46
iscbind_99.18.11-S1 – 9.18.46-S1
iscbind_99.20.0 – 9.20.20
iscbind_99.20.9-S1 – 9.20.20-S1
iscbind_99.21.0 – 9.21.19
msrcazl3_bind_9.20.18-1_on_azure_linux_3.0
msrccbl2_bind_9.16.50-3_on_cbl_mariner_2.0
msrccbl2_dhcp_4.4.3.p1-3_on_cbl_mariner_2.0

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH