The Internet Systems Consortium (ISC) has issued a new set of updates for BIND 9, targeting four security vulnerabilities, two of which are designated as high-severity. This move aims to enhance the security of DNS operations worldwide.
Key Vulnerabilities Addressed
Among the most critical flaws addressed is CVE-2026-3104, a memory leakage issue that affects the preparation of DNSSEC proofs of non-existence. This vulnerability allows malicious domains to trigger a memory leak in BIND resolvers. According to ISC, authoritative servers remain unaffected by this specific bug.
The issue can lead to excessive Resident Set Size (RSS) memory consumption, potentially resulting in an out-of-memory error. Furthermore, the BIND resolver may terminate unexpectedly with an assertion failure when attempting a shutdown or reload.
Impact of the High-Severity Bugs
The second high-severity vulnerability, identified as CVE-2026-1519, can cause a substantial increase in CPU usage. This occurs when the resolver processes a maliciously crafted zone during DNSSEC validation, severely limiting the number of queries the system can handle.
While disabling DNSSEC can prevent this vulnerability’s exploitation, ISC advises against this action as a security measure. Both vulnerabilities can culminate in a Denial of Service (DoS) condition, as highlighted by Ubuntu, which distributes BIND packages to its users.
Patches and Additional Security Fixes
The recent updates also address medium-severity vulnerabilities, including CVE-2026-3119, which may cause unexpected termination of the named process when handling a query with a TKEY record, and CVE-2026-3591, a use-after-return flaw in SIG(0) handling that could allow ACL bypass through crafted DNS requests.
Patches for these vulnerabilities are incorporated in BIND versions 9.18.47, 9.20.21, and 9.21.20, as well as the BIND Supported Preview Edition versions 9.18.47-S1 and 9.20.21-S1. ISC assures that, to date, there are no reports of these vulnerabilities being exploited in real-world attacks. Further details are available on ISC’s software updates page.
Related updates on security patches have also been made by major tech companies for their software, including Cisco, Apple, and Google.
