CVE-2026-3591
Use-After-Return in BIND named Causes Unauthorized Access
Publication date: 2026-03-25
Last updated on: 2026-05-21
Assigner: Internet Systems Consortium (ISC)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| isc | bind | From 9.20.0 (inc) to 9.20.21 (exc) |
| isc | bind | From 9.21.0 (inc) to 9.21.20 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-305 | The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error. |
| CWE-562 | A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a use-after-return issue in the 'named' server component of BIND when processing DNS queries signed with SIG(0). An attacker can send a specially crafted DNS request that causes an Access Control List (ACL) to incorrectly match an IP address.
In configurations where the ACL is set to default-allow (meaning it denies only specific IP addresses), this flaw may allow unauthorized access by bypassing the intended restrictions. However, default-deny ACLs (which deny by default and allow only specific IPs) should remain secure against this issue.
How can this vulnerability impact me? :
If you use a default-allow ACL configuration in affected versions of BIND, this vulnerability could allow an attacker to gain unauthorized access by causing the ACL to misidentify IP addresses.
This could lead to security breaches where unauthorized users access resources or services that should be restricted, potentially compromising the integrity and confidentiality of your DNS infrastructure.
However, if you use default-deny ACLs, the vulnerability should not allow unauthorized access, as these configurations fail-secure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can lead to unauthorized access due to improper IP address matching in Access Control Lists (ACLs) when using default-allow configurations. Such unauthorized access could potentially result in exposure or compromise of sensitive data.
As a result, organizations using affected BIND 9 versions without proper mitigation may face challenges in maintaining compliance with standards and regulations like GDPR or HIPAA, which require strict access controls and protection of sensitive information.
Mitigation by upgrading to patched BIND 9 releases is recommended to reduce the risk of unauthorized access and help maintain compliance.
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate step to mitigate this vulnerability is to upgrade your BIND 9 DNS server to a patched release version.
- Upgrade to BIND 9 version 9.20.21 or later.
- Upgrade to BIND 9 version 9.21.20 or later.
- For the Supported Preview Edition, upgrade to version 9.20.21-S1 or later.
No workarounds are currently known, so applying the official patches is the primary mitigation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There are no specific detection commands or methods provided in the available information for identifying this vulnerability on your network or system.
The vulnerability involves a use-after-return flaw in BIND 9 when processing DNS queries signed with SIG(0), which may cause ACL mis-matching. Detection would likely require monitoring for unusual DNS query patterns or unauthorized access attempts related to SIG(0) signed queries, but no explicit detection commands or signatures are given.
The recommended action is to verify the version of BIND 9 running on your systems and upgrade to patched versions (9.20.21, 9.21.20, or 9.20.21-S1) if affected.