ISC has disclosed four vulnerabilities in BIND 9 (CVE-2026-1519, CVE-2026-3104, CVE-2026-3119, CVE-2026-3591)

[Nicki Křížek <nicki () isc org>]

On 25 March 2026, Internet Systems Consortium disclosed four vulnerabilities affecting our BIND 9 software:

- CVE-2026-1519:        Excessive NSEC3 iterations cause high CPU load during insecure delegation validation 
https://kb.isc.org/docs/cve-2026-1519
- CVE-2026-3104:        Memory leak in code preparing DNSSEC proofs of non-existence 
https://kb.isc.org/docs/cve-2026-3104
- CVE-2026-3119:        Authenticated query containing a TKEY record may cause named to terminate unexpectedly 
https://kb.isc.org/docs/cve-2026-3119
- CVE-2026-3591:        A stack use-after-return flaw in SIG(0) handling code may enable ACL bypass 
https://kb.isc.org/docs/cve-2026-3591

New versions of BIND 9 are available:

- https://downloads.isc.org/isc/bind9/9.18.47/
- https://downloads.isc.org/isc/bind9/9.20.21/
- https://downloads.isc.org/isc/bind9/9.21.20/

For more information and other release formats, consult the ISC software download page: https://www.isc.org/download/

With the public announcement of these vulnerabilities, the embargo period is ended and any updated software packages 
that have been prepared may be released.

--
Nicki Křížek (they/them)

Attachment: OpenPGP_0x01623B9B652A20A7.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature