INTERNET Systems Consortium (ISC) on Wednesday rolled out a fresh round of BIND 9 updates to resolve four vulnerabilities, including two high-severity bugs (CVE-2026-3104 and CVE-2026-1519). The first high-severity flaw is a memory leak issue affecting code preparing DNSSEC proofs of non-existence, which can cause unbounded growth of Resident Set Size memory and an out-of-memory condition, with named potentially exiting on reload or shutdown.
The second high-severity vulnerability could lead to high CPU consumption during DNSSEC validation, possibly reducing the number of handled queries; disabling DNSSEC is not recommended but would prevent exploitation. The two medium-severity flaws are CVE-2026-3119, which could cause unexpected named termination when processing a query with a TKEY record, and CVE-2026-3591, a use-after-return flaw in SIG(0) handling that could lead to an ACL bypass.
Patches are included in BIND versions 9.18.47, 9.20.21, and 9.21.20, as well as in the corresponding SPl editions, with ISC noting it is not aware of these vulnerabilities being exploited in the wild, and according to Ubuntu’s advisory these issues can cause DoS if exploited.