What happened
New BIND updates patch high-severity vulnerabilities that could allow attackers to trigger denial-of-service conditions in affected resolver deployments. Internet Systems Consortium released the updates on Wednesday to fix four flaws, including two high-severity issues. The first, CVE-2026-3104, is a memory leak bug in code that prepares DNSSEC proofs of non-existence. According to ISC, a specially crafted domain can cause memory used by named not to be recovered, leading to unbounded RSS memory growth, a possible out-of-memory condition, and an assertion failure if shutdown or reload is attempted. The second high-severity flaw, CVE-2026-1519, can cause high CPU consumption when a resolver encounters a maliciously crafted zone during DNSSEC validation, sharply reducing the number of handled queries. ISC said authoritative servers may not be impacted by CVE-2026-3104.
Who is affected
The direct exposure affects organizations running vulnerable BIND resolver deployments. ISC said the memory leak issue impacts resolver code, while the CPU consumption flaw affects resolvers during DNSSEC validation of a maliciously crafted zone. The article does not say that authoritative servers are affected by the first high-severity flaw.
Why CISOs should care
This matters because both high-severity flaws can lead to denial of service in infrastructure that supports DNS resolution. It is also relevant because the patched issues include memory exhaustion, high CPU consumption, unexpected named termination, and a possible ACL bypass, all in a widely used DNS software suite.
3 practical actions
- Upgrade to the patched releases: Move affected systems to BIND versions 9.18.47, 9.20.21, or 9.21.20, or to the supported preview editions 9.18.47-S1 and 9.20.21-S1 where applicable.
- Prioritize resolver exposure: Review resolver deployments first, since the two high-severity flaws described in the article affect resolver behavior and can lead to denial-of-service conditions.
- Assess the broader patch set: Include the medium-severity fixes in remediation planning as well, since the update also addresses unexpected named termination tied to TKEY processing and a SIG(0) handling flaw that could lead to ACL bypass.
For more news about security flaws and vendor patch releases, click Vulnerability to read more.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.