Search

BIND Updates Patch High-Severity Vulnerabilities

Cyber threats and incidents
By John Kevin Hao

Related

Cyber threats and incidents

New GhostLock Tool Abuses Windows API to Block File Access

What happened A security researcher has published a proof-of-concept tool...
Read more
Cyber threats and incidents

Ivanti Warns of New EPMM Flaw Exploited in Zero-Day Attacks

What happened Ivanti has disclosed a high-severity remote code execution...
Read more
Cyber threats and incidents

Mirai-Based xlabs_v1 Botnet Exploits Android Debug Bridge to Hijack IoT Devices

What happened Hunt.io researchers have identified a new Mirai-derived botnet...
Read more
Cyber threats and incidents

Cisco Releases Fix for DoS Flaw That Requires Manual Reboot to Recover

What happened Cisco has released security updates addressing a high-severity...
Read more
Cyber threats and incidents

Palo Alto Networks Warns of Firewall RCE Zero-Day Exploited in Attacks

What happened Palo Alto Networks has disclosed a critical unpatched...
Read more

Share

What happened

New BIND updates patch high-severity vulnerabilities that could allow attackers to trigger denial-of-service conditions in affected resolver deployments. Internet Systems Consortium released the updates on Wednesday to fix four flaws, including two high-severity issues. The first, CVE-2026-3104, is a memory leak bug in code that prepares DNSSEC proofs of non-existence. According to ISC, a specially crafted domain can cause memory used by named not to be recovered, leading to unbounded RSS memory growth, a possible out-of-memory condition, and an assertion failure if shutdown or reload is attempted. The second high-severity flaw, CVE-2026-1519, can cause high CPU consumption when a resolver encounters a maliciously crafted zone during DNSSEC validation, sharply reducing the number of handled queries. ISC said authoritative servers may not be impacted by CVE-2026-3104.

Who is affected

The direct exposure affects organizations running vulnerable BIND resolver deployments. ISC said the memory leak issue impacts resolver code, while the CPU consumption flaw affects resolvers during DNSSEC validation of a maliciously crafted zone. The article does not say that authoritative servers are affected by the first high-severity flaw.

Why CISOs should care

This matters because both high-severity flaws can lead to denial of service in infrastructure that supports DNS resolution. It is also relevant because the patched issues include memory exhaustion, high CPU consumption, unexpected named termination, and a possible ACL bypass, all in a widely used DNS software suite.

3 practical actions

  1. Upgrade to the patched releases: Move affected systems to BIND versions 9.18.47, 9.20.21, or 9.21.20, or to the supported preview editions 9.18.47-S1 and 9.20.21-S1 where applicable.
  2. Prioritize resolver exposure: Review resolver deployments first, since the two high-severity flaws described in the article affect resolver behavior and can lead to denial-of-service conditions.
  3. Assess the broader patch set: Include the medium-severity fixes in remediation planning as well, since the update also addresses unexpected named termination tied to TKEY processing and a SIG(0) handling flaw that could lead to ACL bypass.

For more news about security flaws and vendor patch releases, click Vulnerability to read more.

IMG 0514 2
+ posts

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.

Previous article
HP and Dell Roll Out Quantum-Resistant Device Security and AI-Era Cyber Resilience
Next article
Critical NVIDIA Vulnerabilities Enable RCE and DoS Attacks

Subscribe to our stories

To be updated with all the latest news, offers and special announcements.