CVE-2026-1519

High

Published: 25 March 2026

Published

25 March 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0003 9.5th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1519 is a high-severity Unchecked Input for Loop Condition (CWE-606) vulnerability in Isc (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-21 (Secure Name/Address Resolution Service (Recursive or Caching Resolver)) and SC-5 (Denial-of-service Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the vulnerability by requiring timely remediation through application of ISC patches to affected BIND versions.

SC-21 Secure Name/Address Resolution Service (Recursive or Caching Resolver) good match

prevent

Establishes secure configurations and protections for recursive or caching DNS resolvers performing DNSSEC validation against resource exhaustion attacks.

SC-5 Denial-of-service Protection good match

prevent

Implements denial-of-service protections to limit effects of excessive CPU consumption triggered by maliciously crafted DNSSEC zones.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

CVE enables remote exploitation of public-facing BIND DNS resolvers via crafted input to trigger application-level resource exhaustion and DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries). This issue…

affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.

Deeper analysisAI

CVE-2026-1519 is a denial-of-service vulnerability in BIND 9 resolvers that perform DNSSEC validation. When such a resolver processes a maliciously crafted DNS zone, it may consume excessive CPU resources, leading to degraded performance or service disruption. The issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1. Authoritative-only servers are generally unaffected, though they may be vulnerable in scenarios where they issue recursive queries.

Remote attackers can exploit this vulnerability over the network with low complexity and no required privileges or user interaction, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). By sending a specially crafted zone to a targeted BIND resolver performing DNSSEC validation, an attacker can trigger high CPU utilization, resulting in a denial-of-service condition that impacts availability without affecting confidentiality or integrity.

ISC has released patched versions including BIND 9.18.47, 9.20.21, and 9.21.20 to address the vulnerability; administrators should update affected installations promptly. Additional details are available in the ISC knowledge base article at https://kb.isc.org/docs/cve-2026-1519, which also references circumstances under which authoritative servers might make recursive queries and thus be exposed. Debian LTS users are advised via announcement at https://lists.debian.org/debian-lts-announce/2026/04/msg00008.html.

Details

CWE(s): CWE-606

Affected Products

Isc

—

inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2026-27689Shared CWE-606

CVE-2026-23689Shared CWE-606

References

https://downloads.isc.org/isc/bind9/9.18.47
security-officer@isc.org
https://downloads.isc.org/isc/bind9/9.20.21
security-officer@isc.org
https://downloads.isc.org/isc/bind9/9.21.20
security-officer@isc.org
https://kb.isc.org/docs/cve-2026-1519
security-officer@isc.org
https://lists.debian.org/debian-lts-announce/2026/04/msg00008.html
af854a3a-2127-422b-91ae-364da2661108