CVE-2026-3592 Overview
CVE-2026-3592 is a resource exhaustion vulnerability in ISC BIND 9 resolvers. When a victim resolver queries a specially crafted authoritative zone, it consumes disproportionate CPU and memory resources. Attackers exploit this asymmetry to amplify resource consumption against recursive DNS infrastructure.
The flaw is categorized under [CWE-408] (Incorrect Behavior Order: Early Amplification). It affects long-supported branches of BIND 9, including both open-source and Subscription Edition (-S1) builds. No authentication or user interaction is required, and the attack is network-reachable.
Critical Impact
A remote, unauthenticated attacker controlling or influencing a queried zone can degrade resolver availability through amplified resource consumption, impacting DNS resolution for downstream clients.
Affected Products
- ISC BIND 9 versions 9.11.0 through 9.16.50
- ISC BIND 9 versions 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, and 9.21.0 through 9.21.21
- ISC BIND 9 Subscription Edition: 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1
Discovery Timeline
- 2026-05-20 - CVE-2026-3592 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-3592
Vulnerability Analysis
The vulnerability resides in how BIND 9 resolvers process responses from authoritative servers for certain zone constructions. Querying a maliciously crafted zone forces the resolver to perform disproportionate internal work relative to the query size. The result is amplified consumption of CPU, memory, or socket resources on the resolver host.
Because recursive resolvers serve many downstream clients, a sustained stream of queries that trigger this asymmetry degrades resolution for legitimate users. The attack vector requires no privileges or interaction, only the ability to induce a target resolver to query an attacker-controlled or attacker-influenced zone. Confidentiality and integrity are unaffected; the impact is limited to availability.
Root Cause
The defect is an algorithmic complexity issue in resolver processing logic. Specific zone configurations trigger work that scales unfavorably relative to input size. ISC tracks the issue under [CWE-408], reflecting that processing order and validation behavior allow amplification before resource limits engage.
Attack Vector
An attacker hosts or controls a zone constructed to maximize resolver-side processing cost. The attacker then causes a victim BIND resolver to query that zone, either directly through open recursion or indirectly by inducing client queries that the resolver must follow. Each query yields significant resource consumption on the resolver, enabling denial-of-service amplification with modest attacker bandwidth.
No verified public exploit code is available. Refer to the ISC CVE-2026-3592 Documentation for vendor technical details.
Detection Methods for CVE-2026-3592
Indicators of Compromise
- Sustained spikes in named process CPU or memory consumption without a corresponding rise in legitimate client query volume.
- Recursive query patterns concentrated on a small number of unusual or newly observed authoritative zones.
- Growing resolver query queues, increased SERVFAIL rates, and elevated response latency for unrelated client traffic.
Detection Strategies
- Enable BIND query logging and statistics channels, then baseline per-zone query distributions to flag anomalous concentrations.
- Correlate resolver host telemetry (CPU, RSS, file descriptors) with outbound recursion patterns to identify resource amplification.
- Alert on repeated recursive lookups to low-reputation or recently registered zones using passive DNS or threat intelligence feeds.
Monitoring Recommendations
- Track BIND recursive-clients, tcp-clients, and memory counters via the statistics channel and forward metrics to a SIEM.
- Monitor upstream and downstream DNS latency to detect resolver degradation before client-visible outages occur.
- Capture and retain DNS query logs for forensic correlation when resource-exhaustion symptoms appear.
How to Mitigate CVE-2026-3592
Immediate Actions Required
- Upgrade BIND 9 to a fixed release: 9.18.49, 9.20.23, or 9.21.22, available from the ISC BIND download site.
- Subscription Edition users should obtain the corresponding -S1 build directly from ISC.
- Restrict recursion to trusted clients using allow-recursion to reduce exposure from arbitrary external queriers.
Patch Information
ISC has released fixed versions BIND 9.18.49, BIND 9.20.23, and BIND 9.21.22. Operators on the end-of-life 9.16 branch should migrate to a supported release. Full advisory details are documented in the ISC CVE-2026-3592 knowledge base article.
Workarounds
- Limit recursion scope with allow-recursion access control lists so only authorized internal clients can drive outbound queries.
- Enforce per-client rate limits using fetches-per-server and fetches-per-zone to cap concurrent fetches against any single zone.
- Deploy upstream DNS firewalls or Response Policy Zones (RPZ) to block resolution of known-malicious or attacker-controlled zones.
# Configuration example: constrain recursion and per-zone fetches in named.conf
options {
recursion yes;
allow-recursion { 10.0.0.0/8; 192.168.0.0/16; };
fetches-per-zone 200 drop;
fetches-per-server 100;
recursive-clients 1000;
};
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
