Full Report
ISC BIND security advisory (AV26-280)
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in ISC BIND 9
## CVE Details
- **CVE ID:** CVE-2026-1519, CVE-2026-3104, CVE-2026-3119, CVE-2026-3591
- **CVSS Score:** Not explicitly provided in advisory (Typically High/Critical for BIND DNS termination flaws)
- **CWE:**
- CVE-2026-1519: CWE-400 (Uncontrolled Resource Consumption)
- CVE-2026-3104: CWE-401 (Missing Release of Memory after Effective Lifetime)
- CVE-2026-3119: CWE-248 (Uncaught Exception / Improper Check)
- CVE-2026-3591: CWE-672 (Operation on a Resource after Expiration or Release)
## Affected Systems
- **Products:** ISC BIND 9 and BIND Supported Preview Edition
- **Versions:**
- 9.11.0 through 9.16.50
- 9.18.0 through 9.18.46
- 9.20.0 through 9.20.20
- 9.21.0 through 9.21.19
- Supported Preview Edition: 9.11.3-S1 through 9.20.20-S1
- **Configurations:** Systems configured as authoritative or recursive servers utilizing DNSSEC validation or SIG(0) authentication.
## Vulnerability Description
This advisory addresses four distinct security flaws:
1. **CVE-2026-1519:** Excessive NSEC3 iterations during insecure delegation validation lead to significant CPU exhaustion, potentially causing a Denial of Service (DoS).
2. **CVE-2026-3104:** A memory leak occurs within the code responsible for generating DNSSEC proofs of non-existence, which can lead to memory exhaustion over time.
3. **CVE-2026-3119:** An authenticated query containing a TKEY record can trigger an unexpected termination of the `named` process, leading to a service outage.
4. **CVE-2026-3591:** A stack use-after-return vulnerability in the SIG(0) handling logic. This memory corruption flaw could allow an attacker to bypass Access Control Lists (ACLs).
## Exploitation
- **Status:** Not explicitly stated as "in the wild"; assumed PoC/Technical details available via ISC.
- **Complexity:** Low to Medium
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** None to Low
- **Integrity:** High (ACL bypass potential via CVE-2026-3591)
- **Availability:** High (DoS via CPU/Memory exhaustion and process termination)
## Remediation
### Patches
ISC recommends upgrading to the following versions or later:
- BIND 9.18.47
- BIND 9.20.21
- BIND 9.21.20
### Workarounds
- **CVE-2026-1519:** Limit maximum NSEC3 iterations in configuration (though upgrading is the only definitive fix).
- **CVE-2026-3591:** Disable SIG(0) authentication if not required for dynamic updates or zone transfers.
- **General:** Restrict access to `named` to trusted infrastructure using network firewalls where possible.
## Detection
- **Indicators of Compromise:**
- High CPU utilization by the `named` process without a corresponding increase in legitimate traffic.
- `named` process crashing/restarting with TKEY-related logs.
- Unexpected memory usage growth (leaks).
- **Detection methods:** Monitor system logs for core dumps or "unexpected termination" messages related to the BIND service.
## References
- ISC KB CVE-2026-1519: [https]://kb.isc.org/docs/cve-2026-1519
- ISC KB CVE-2026-3104: [https]://kb.isc.org/docs/cve-2026-3104
- ISC KB CVE-2026-3119: [https]://kb.isc.org/docs/cve-2026-3119
- ISC KB CVE-2026-3591: [https]://kb.isc.org/docs/cve-2026-3591
- BIND 9 Security Matrix: [https]://kb.isc.org/docs/aa-00913