CVE-2026-3591
Analyzed Analyzed - Analysis Complete
Use-After-Return in BIND named Causes Unauthorized Access

Publication date: 2026-03-25

Last updated on: 2026-05-21

Assigner: Internet Systems Consortium (ISC)

Description
A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly (mis)match an IP address. In a default-allow ACL (denying only specific IP addresses), this may lead to unauthorized access. Default-deny ACLs should fail-secure. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-05-21
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3591
EUVD
EUVD-2026-15413
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
isc bind From 9.20.0 (inc) to 9.20.21 (exc)
isc bind From 9.21.0 (inc) to 9.21.20 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-305 The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.
CWE-562 A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

There are no specific detection commands or methods provided in the available information for identifying this vulnerability on your network or system.

The vulnerability involves a use-after-return flaw in BIND 9 when processing DNS queries signed with SIG(0), which may cause ACL mis-matching. Detection would likely require monitoring for unusual DNS query patterns or unauthorized access attempts related to SIG(0) signed queries, but no explicit detection commands or signatures are given.

The recommended action is to verify the version of BIND 9 running on your systems and upgrade to patched versions (9.20.21, 9.21.20, or 9.20.21-S1) if affected.

Executive Summary

This vulnerability is a use-after-return issue in the 'named' server component of BIND when processing DNS queries signed with SIG(0). An attacker can send a specially crafted DNS request that causes an Access Control List (ACL) to incorrectly match an IP address.

In configurations where the ACL is set to default-allow (meaning it denies only specific IP addresses), this flaw may allow unauthorized access by bypassing the intended restrictions. However, default-deny ACLs (which deny by default and allow only specific IPs) should remain secure against this issue.

Impact Analysis

If you use a default-allow ACL configuration in affected versions of BIND, this vulnerability could allow an attacker to gain unauthorized access by causing the ACL to misidentify IP addresses.

This could lead to security breaches where unauthorized users access resources or services that should be restricted, potentially compromising the integrity and confidentiality of your DNS infrastructure.

However, if you use default-deny ACLs, the vulnerability should not allow unauthorized access, as these configurations fail-secure.

Compliance Impact

This vulnerability can lead to unauthorized access due to improper IP address matching in Access Control Lists (ACLs) when using default-allow configurations. Such unauthorized access could potentially result in exposure or compromise of sensitive data.

As a result, organizations using affected BIND 9 versions without proper mitigation may face challenges in maintaining compliance with standards and regulations like GDPR or HIPAA, which require strict access controls and protection of sensitive information.

Mitigation by upgrading to patched BIND 9 releases is recommended to reduce the risk of unauthorized access and help maintain compliance.

Mitigation Strategies

The recommended immediate step to mitigate this vulnerability is to upgrade your BIND 9 DNS server to a patched release version.

  • Upgrade to BIND 9 version 9.20.21 or later.
  • Upgrade to BIND 9 version 9.21.20 or later.
  • For the Supported Preview Edition, upgrade to version 9.20.21-S1 or later.

No workarounds are currently known, so applying the official patches is the primary mitigation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3591. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart