VYPR
← All advisories
Medium severity5.3NVD Advisory· Published May 20, 2026· Updated May 20, 2026

CVE-2026-3592

CVE-2026-3592

Description

BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resources. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

BIND 9 resolvers are vulnerable to an amplified resource consumption/exhaustion attack via self-pointed glue records, potentially causing disproportionate resource consumption and TCP impairment.

Vulnerability

The vulnerability exists in BIND 9 recursive resolvers when they query a specially crafted zone containing self-pointed glue records. Resolvers may consume disproportionate resources, including bandwidth and CPU, attempting to resolve such names. The issue affects BIND versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and the corresponding Supported Preview Edition versions [1].

Exploitation

An attacker must host a malicious zone and cause a victim resolver to query it (e.g., by sending a query for a domain within that zone). No authentication is required, and the attack can be launched remotely over the network [1]. The resolver will attempt to resolve the name by following self-pointed glue records, leading to excessive resource consumption.

Impact

Successful exploitation allows an attacker to cause the resolver to consume disproportionate amounts of bandwidth and possibly impair TCP connections, resulting in a denial-of-service condition. The vulnerability does not allow data confidentiality or integrity compromise [1].

Mitigation

ISC has released patched versions: BIND 9.18.49, 9.20.23, and 9.21.22 (and S-Preview equivalents 9.18.49-S1, 9.20.23-S1). Users should upgrade to the appropriate fixed version [1],[2],[3],[4]. No workarounds are available. Authoritative-only servers with trusted zones are not affected [1].

References
  1. CVE-2026-3592: Amplification vulnerabilities via self-pointed glue records
  2. Index of /isc/bind9/9.21.22
  3. Index of /isc/bind9/9.18.49
  4. Index of /isc/bind9/9.20.23

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Isc Projects/Bind9inferred
    Range: >=9.11.0,<=9.16.50 || >=9.18.0,<=9.18.48 || >=9.20.0,<=9.20.22 || >=9.21.0,<=9.21.21 || >=9.11.3-S1,<=9.16.50-S1 || >=9.18.11-S1,<=9.18.48-S1 || >=9.20.9-S1,<=9.20.22-S1
  • Isc/Bindllm-fuzzy
    Range: 9.11.0 through 9.21.21 and corresponding S versions

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.