CVE-2026-1519 (GCVE-0-2026-1519)

Vulnerability from cvelistv5 – Published: 2026-03-25 13:25 – Updated: 2026-04-13 09:35
VLAI?
Title
Excessive NSEC3 iterations cause high CPU load during insecure delegation validation
Summary
If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries). This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.
Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE
  • CWE-606 - Unchecked Input for Loop Condition
Assigner
isc
References
Impacted products
Vendor Product Version
ISC BIND 9 Affected: 9.11.0 , ≤ 9.16.50 (custom)
Affected: 9.18.0 , ≤ 9.18.46 (custom)
Affected: 9.20.0 , ≤ 9.20.20 (custom)
Affected: 9.21.0 , ≤ 9.21.19 (custom)
Affected: 9.11.3-S1 , ≤ 9.16.50-S1 (custom)
Affected: 9.18.11-S1 , ≤ 9.18.46-S1 (custom)
Affected: 9.20.9-S1 , ≤ 9.20.20-S1 (custom)
Create a notification for this product.
Date Public ?
2026-03-25 00:00
Credits
ISC would like to thank Samy Medjahed/Ap4sh for bringing this vulnerability to our attention.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-1519",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-25T14:55:33.427270Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-25T14:55:40.032Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-13T09:35:57.526Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2026/04/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "BIND 9",
          "vendor": "ISC",
          "versions": [
            {
              "lessThanOrEqual": "9.16.50",
              "status": "affected",
              "version": "9.11.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.18.46",
              "status": "affected",
              "version": "9.18.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.20.20",
              "status": "affected",
              "version": "9.20.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.21.19",
              "status": "affected",
              "version": "9.21.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.16.50-S1",
              "status": "affected",
              "version": "9.11.3-S1",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.18.46-S1",
              "status": "affected",
              "version": "9.18.11-S1",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.20.20-S1",
              "status": "affected",
              "version": "9.20.9-S1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.16.50",
                  "versionStartIncluding": "9.11.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.18.46",
                  "versionStartIncluding": "9.18.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.20.20",
                  "versionStartIncluding": "9.20.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.21.19",
                  "versionStartIncluding": "9.21.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.16.50-S1",
                  "versionStartIncluding": "9.11.3-S1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.18.46-S1",
                  "versionStartIncluding": "9.18.11-S1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.20.20-S1",
                  "versionStartIncluding": "9.20.9-S1",
                  "vulnerable": true
                }
              ],
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "ISC would like to thank Samy Medjahed/Ap4sh for bringing this vulnerability to our attention."
        }
      ],
      "datePublic": "2026-03-25T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries).\nThis issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "We are not aware of any active exploits."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "If this issue is encountered, the resolver may experience excessive CPU consumption and a sharp decrease in the number of queries per second that it can handle."
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-606",
              "description": "CWE-606 Unchecked Input for Loop Condition",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-25T13:25:19.802Z",
        "orgId": "404fd4d2-a609-4245-b543-2c944a302a22",
        "shortName": "isc"
      },
      "references": [
        {
          "name": "CVE-2026-1519",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://kb.isc.org/docs/cve-2026-1519"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://downloads.isc.org/isc/bind9/9.18.47"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://downloads.isc.org/isc/bind9/9.20.21"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://downloads.isc.org/isc/bind9/9.21.20"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to the patched release most closely related to your current version of BIND 9: 9.18.47, 9.20.21, 9.21.20, 9.18.47-S1, or 9.20.21-S1."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Excessive NSEC3 iterations cause high CPU load during insecure delegation validation",
      "workarounds": [
        {
          "lang": "en",
          "value": "This is not recommended, but disabling DNSSEC (`dnssec-validation no;`) prevents exploitation of this issue."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22",
    "assignerShortName": "isc",
    "cveId": "CVE-2026-1519",
    "datePublished": "2026-03-25T13:25:19.802Z",
    "dateReserved": "2026-01-28T09:54:49.514Z",
    "dateUpdated": "2026-04-13T09:35:57.526Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-1519\",\"sourceIdentifier\":\"security-officer@isc.org\",\"published\":\"2026-03-25T14:16:33.110\",\"lastModified\":\"2026-04-13T10:16:11.147\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries).\\nThis issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.\"},{\"lang\":\"es\",\"value\":\"Si un resolvedor BIND est\u00e1 realizando validaci\u00f3n DNSSEC y encuentra una zona creada maliciosamente, el resolvedor puede consumir CPU excesiva. Los servidores solo autoritativos generalmente no se ven afectados, aunque hay circunstancias en las que los servidores autoritativos pueden realizar consultas recursivas (ver: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries).\\nEste problema afecta a las versiones de BIND 9 9.11.0 a 9.16.50, 9.18.0 a 9.18.46, 9.20.0 a 9.20.20, 9.21.0 a 9.21.19, 9.11.3-S1 a 9.16.50-S1, 9.18.11-S1 a 9.18.46-S1, y 9.20.9-S1 a 9.20.20-S1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-officer@isc.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-officer@isc.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-606\"}]}],\"references\":[{\"url\":\"https://downloads.isc.org/isc/bind9/9.18.47\",\"source\":\"security-officer@isc.org\"},{\"url\":\"https://downloads.isc.org/isc/bind9/9.20.21\",\"source\":\"security-officer@isc.org\"},{\"url\":\"https://downloads.isc.org/isc/bind9/9.21.20\",\"source\":\"security-officer@isc.org\"},{\"url\":\"https://kb.isc.org/docs/cve-2026-1519\",\"source\":\"security-officer@isc.org\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2026/04/msg00008.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.debian.org/debian-lts-announce/2026/04/msg00008.html\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2026-04-13T09:35:57.526Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-1519\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-25T14:55:33.427270Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-25T14:55:35.675Z\"}}], \"cna\": {\"title\": \"Excessive NSEC3 iterations cause high CPU load during insecure delegation validation\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"value\": \"ISC would like to thank Samy Medjahed/Ap4sh for bringing this vulnerability to our attention.\"}], \"impacts\": [{\"descriptions\": [{\"lang\": \"en\", \"value\": \"If this issue is encountered, the resolver may experience excessive CPU consumption and a sharp decrease in the number of queries per second that it can handle.\"}]}], \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"ISC\", \"product\": \"BIND 9\", \"versions\": [{\"status\": \"affected\", \"version\": \"9.11.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"9.16.50\"}, {\"status\": \"affected\", \"version\": \"9.18.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"9.18.46\"}, {\"status\": \"affected\", \"version\": \"9.20.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"9.20.20\"}, {\"status\": \"affected\", \"version\": \"9.21.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"9.21.19\"}, {\"status\": \"affected\", \"version\": \"9.11.3-S1\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"9.16.50-S1\"}, {\"status\": \"affected\", \"version\": \"9.18.11-S1\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"9.18.46-S1\"}, {\"status\": \"affected\", \"version\": \"9.20.9-S1\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"9.20.20-S1\"}], \"defaultStatus\": \"unaffected\"}], \"exploits\": [{\"lang\": \"en\", \"value\": \"We are not aware of any active exploits.\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Upgrade to the patched release most closely related to your current version of BIND 9: 9.18.47, 9.20.21, 9.21.20, 9.18.47-S1, or 9.20.21-S1.\"}], \"datePublic\": \"2026-03-25T00:00:00.000Z\", \"references\": [{\"url\": \"https://kb.isc.org/docs/cve-2026-1519\", \"name\": \"CVE-2026-1519\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://downloads.isc.org/isc/bind9/9.18.47\", \"tags\": [\"patch\"]}, {\"url\": \"https://downloads.isc.org/isc/bind9/9.20.21\", \"tags\": [\"patch\"]}, {\"url\": \"https://downloads.isc.org/isc/bind9/9.21.20\", \"tags\": [\"patch\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"This is not recommended, but disabling DNSSEC (`dnssec-validation no;`) prevents exploitation of this issue.\"}], \"x_generator\": {\"engine\": \"cvelib 1.8.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries).\\nThis issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-606\", \"description\": \"CWE-606 Unchecked Input for Loop Condition\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"9.16.50\", \"versionStartIncluding\": \"9.11.0\"}, {\"criteria\": \"cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"9.18.46\", \"versionStartIncluding\": \"9.18.0\"}, {\"criteria\": \"cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"9.20.20\", \"versionStartIncluding\": \"9.20.0\"}, {\"criteria\": \"cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"9.21.19\", \"versionStartIncluding\": \"9.21.0\"}, {\"criteria\": \"cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"9.16.50-S1\", \"versionStartIncluding\": \"9.11.3-S1\"}, {\"criteria\": \"cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"9.18.46-S1\", \"versionStartIncluding\": \"9.18.11-S1\"}, {\"criteria\": \"cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"9.20.20-S1\", \"versionStartIncluding\": \"9.20.9-S1\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"404fd4d2-a609-4245-b543-2c944a302a22\", \"shortName\": \"isc\", \"dateUpdated\": \"2026-03-25T13:25:19.802Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-1519\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-13T09:35:57.526Z\", \"dateReserved\": \"2026-01-28T09:54:49.514Z\", \"assignerOrgId\": \"404fd4d2-a609-4245-b543-2c944a302a22\", \"datePublished\": \"2026-03-25T13:25:19.802Z\", \"assignerShortName\": \"isc\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.