The Internet Systems Consortium (ISC) has found three security holes in BIND 9. If attackers took advantage of this, they could slow down DNS, stop services, or get into servers without permission, depending on how the servers are set up. The most serious problem, known as CVE-2026-1519, has a high CVSS score of 7.5 and can cause a denial-of-service attack by using too much CPU.

A second problem can make the named server process crash when it tries to handle a valid DNS query with a TKEY record. A third flaw lets attackers get around Access Control Lists (ACLs) by sending DNS requests that change how IP addresses are matched. There was no evidence of active exploitation in the wild at the time of disclosure.

However, because BIND is so important to the infrastructure of the internet around the world, these security holes are a big risk if they aren't fixed. Network admins and security teams are strongly urged to check the versions of BIND they are using and upgrade to the most recent patched versions right away. To keep DNS operations safe and reliable, patch management and configuration reviews must be done on a regular basis.

The ISC has released patched versions to fix these problems. Some of these are 9.18.47, 9.20.21, and 9.21.19. If you use the BIND Supported Preview Edition, you should also install the S1 updates right away. The flaws affect several branches of Bind 9, such as CVE-2026-1519: Versions 9.11.0–9.16.50, 918.0–9.18.20, 920.20–21.0, 921.21–20.0–9.22.19, 922.0.0 and 923.0–9.23.