Search

BIND Updates Patch High-Severity Vulnerabilities

Cyber threats and incidents
By Evan Rowe

Related

Founders, Analysts & Industry Voices

Female Cybersecurity Leaders to Watch in Maine

Maine’s cybersecurity leadership bench reflects a mix of operational...
Read more
Founders, Analysts & Industry Voices

Female Cybersecurity Leaders to Watch in Iowa

Iowa’s cybersecurity leadership reflects a blend of enterprise security,...
Read more
Founders, Analysts & Industry Voices

Female Cybersecurity Leaders to Watch in New Hampshire

New Hampshire’s cybersecurity leadership stands out for its mix...
Read more
Cyber threats and incidents

Critical NVIDIA Vulnerabilities Enable RCE and DoS Attacks

What happened Critical NVIDIA vulnerabilities enable remote code execution and...
Read more
Cyber threats and incidents

BIND Updates Patch High-Severity Vulnerabilities

What happened New BIND updates patch high-severity vulnerabilities that could...
Read more

Share

What happened

New BIND updates patch high-severity vulnerabilities that could allow attackers to trigger denial-of-service conditions in affected resolver deployments. Internet Systems Consortium released the updates on Wednesday to fix four flaws, including two high-severity issues. The first, CVE-2026-3104, is a memory leak bug in code that prepares DNSSEC proofs of non-existence. According to ISC, a specially crafted domain can cause memory used by named not to be recovered, leading to unbounded RSS memory growth, a possible out-of-memory condition, and an assertion failure if shutdown or reload is attempted. The second high-severity flaw, CVE-2026-1519, can cause high CPU consumption when a resolver encounters a maliciously crafted zone during DNSSEC validation, sharply reducing the number of handled queries. ISC said authoritative servers may not be impacted by CVE-2026-3104.

Who is affected

The direct exposure affects organizations running vulnerable BIND resolver deployments. ISC said the memory leak issue impacts resolver code, while the CPU consumption flaw affects resolvers during DNSSEC validation of a maliciously crafted zone. The article does not say that authoritative servers are affected by the first high-severity flaw.

Why CISOs should care

This matters because both high-severity flaws can lead to denial of service in infrastructure that supports DNS resolution. It is also relevant because the patched issues include memory exhaustion, high CPU consumption, unexpected named termination, and a possible ACL bypass, all in a widely used DNS software suite.

3 practical actions

  1. Upgrade to the patched releases: Move affected systems to BIND versions 9.18.47, 9.20.21, or 9.21.20, or to the supported preview editions 9.18.47-S1 and 9.20.21-S1 where applicable.
  2. Prioritize resolver exposure: Review resolver deployments first, since the two high-severity flaws described in the article affect resolver behavior and can lead to denial-of-service conditions.
  3. Assess the broader patch set: Include the medium-severity fixes in remediation planning as well, since the update also addresses unexpected named termination tied to TKEY processing and a SIG(0) handling flaw that could lead to ACL bypass.

For more news about security flaws and vendor patch releases, click Vulnerability to read more.

Previous article
HP and Dell Roll Out Quantum-Resistant Device Security and AI-Era Cyber Resilience
Next article
Critical NVIDIA Vulnerabilities Enable RCE and DoS Attacks
Founders, Analysts & Industry Voices

Female Cybersecurity Leaders to Watch in Maine

Maine’s cybersecurity leadership bench reflects a mix of operational...
Founders, Analysts & Industry Voices

Female Cybersecurity Leaders to Watch in Iowa

Iowa’s cybersecurity leadership reflects a blend of enterprise security,...

Subscribe to our stories

To be updated with all the latest news, offers and special announcements.