PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-1519 ISC CVE debrief

CVE-2026-1519 is a high-severity availability issue in ISC BIND. When a resolver is performing DNSSEC validation and encounters a maliciously crafted zone, it may consume excessive CPU. The issue is mainly relevant to recursive resolver functionality; authoritative-only servers are generally unaffected, though ISC notes there are cases where authoritative servers may also make recursive queries. The CVE was published on 2026-03-25 and later modified on 2026-05-21 to reflect updated NVD analysis and vendor patch references.

Vendor
ISC
Product
BIND 9
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-25
Original CVE updated
2026-05-21
Advisory published
2026-03-25
Advisory updated
2026-05-21

Who should care

Organizations running ISC BIND as a recursive resolver, especially where DNSSEC validation is enabled, should treat this as a priority. DNS infrastructure teams, managed DNS operators, and anyone running mixed-role BIND deployments should review exposure carefully, including any authoritative servers that can make recursive queries.

Technical summary

The vulnerability is a CPU-exhaustion denial-of-service condition triggered during DNSSEC validation against a maliciously crafted zone. NVD maps the weakness to CWE-606 and rates the issue CVSS 3.1 7.5 High (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). The affected ranges listed in the source are BIND 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and the corresponding -S1 release lines called out in the CVE description.

Defensive priority

High. This is remotely reachable, requires no privileges or user interaction, and can impact resolver availability by driving excessive CPU use.

Recommended defensive actions

  • Upgrade affected BIND installations to ISC-fixed releases referenced by the vendor: 9.18.47, 9.20.21, or 9.21.20, as applicable to your branch.
  • Review whether any BIND instances thought to be authoritative-only can make recursive queries, and include those systems in exposure assessment.
  • Identify all BIND 9 versions in the affected ranges, including any special -S1 builds, and validate patch coverage against the vendor advisory.
  • Prioritize recursive resolvers that perform DNSSEC validation, since they are the primary exposure path described in the CVE.
  • Monitor CPU usage and resolver stability on exposed systems until patching is complete.
  • Use the ISC vendor advisory as the authoritative source for branch-specific remediation guidance and any special-build instructions.

Evidence notes

All claims here are grounded in the supplied CVE description, NVD record metadata, and ISC-linked references. The CVE text states the resolver CPU impact, the DNSSEC-validation condition, and the general exemption for authoritative-only servers. NVD supplies the affected version ranges, CVSS vector, and CWE-606 mapping. The reference list includes ISC patch downloads and the ISC vendor advisory, plus a Debian LTS advisory for third-party tracking. No exploit details are included.

Official resources

Publicly disclosed on 2026-03-25, with NVD marked analyzed and updated on 2026-05-21 after vendor patch references were added to the record.