CVE-2026-3119 - Vulnerability Details

Description

Under certain conditions, `named` may crash when processing a correctly signed query containing a TKEY record. The affected code can only be reached if an incoming request has a valid transaction signature (TSIG) from a key declared in the `named` configuration.
This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1.
BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.

Published: 2026-03-25

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

BIND 9's named daemon may crash when processing a correctly signed query that contains a TKEY record. The flaw is triggered only when the query includes a valid TSIG signature from a key defined in the server’s configuration. The crash results in a sudden termination of the named process, leading to a denial of service for DNS resolution on the affected system.

Affected Systems

ISC:BIND 9 releases 9.20.0–9.20.20, 9.21.0–9.21.19, and 9.20.9-S1–9.20.20-S1 are affected. Earlier 9.18.x releases are not impacted.

Risk and Exploitability

The CVSS score of 6.5 indicates medium severity. Because an attacker needs to send a DNS query signed with a TSIG key that the server trusts, the likelihood of exploitation depends on how many unnecessary TSIG keys are present. Successful exploitation would briefly disrupt DNS services on the affected host. The vulnerability is not listed in the CISA KEV catalog, and no EPSS score is available.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ISC

BIND 9

unaffected

Version	Status	Constraints
`9.20.0`	affected	≤ 9.20.20
`9.21.0`	affected	≤ 9.21.19
`9.20.9-S1`	affected	≤ 9.20.20-S1
`9.18.0`	unaffected	≤ 9.18.46
`9.18.11-S1`	unaffected	≤ 9.18.46-S1

No data.

Vendor Product Confidence Versions

Isc

Bind

95%

Version	Status	Scheme	Platform
`[9.20.0,9.20.20]`	affected	semver	—
`[9.21.0,9.21.19]`	affected	semver	—
`[9.20.9-S1,9.20.20-S1]`	affected	semver	—
`[9.18.0,9.18.46]`	unaffected	semver	—
`[9.18.11-S1,9.18.46-S1]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Upgrade to the patched release most closely related to your current version of BIND 9: 9.20.21, 9.21.20, or 9.20.21-S1.

Vendor Workaround

Remove any TSIG keys that might be used by an attacker.

OpenCVE Recommended Actions

Upgrade to the latest BIND 9 release (9.20.21, 9.21.20, or 9.20.21-S1) that contains the patch.
Remove any TSIG keys that could be used by an attacker to sign queries.
Verify that only necessary TSIG keys are configured in named.conf.
Monitor named process for unexpected restarts as a potential indicator of an attack.

Generated by OpenCVE AI on March 26, 2026 at 04:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6181-1	bind9 security update
Ubuntu USN	USN-8124-1	Bind vulnerabilities

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00012.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://downloads.isc.org/isc/bind9/9.20.21
https://downloads.isc.org/isc/bind9/9.21.20
https://kb.isc.org/docs/cve-2026-3119
https://nvd.nist.gov/vuln/detail/CVE-2026-3119
https://www.cve.org/CVERecord?id=CVE-2026-3119

History

Thu, 26 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-237
References		https://nvd.nist.gov/vuln/detail/CVE-2026-3119 https://www.cve.org/CVERecord?id=CVE-2026-3119
Metrics	threat_severity `None`	threat_severity `Moderate`

Wed, 25 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 25 Mar 2026 14:00:00 +0000

Type	Values Removed	Values Added
Description		Under certain conditions, `named` may crash when processing a correctly signed query containing a TKEY record. The affected code can only be reached if an incoming request has a valid transaction signature (TSIG) from a key declared in the `named` configuration. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.
Title		Authenticated query containing a TKEY record may cause named to terminate unexpectedly
First Time appeared		Isc Isc bind
Weaknesses		CWE-617
CPEs		cpe:2.3:a:isc:bind::::::::
Vendors & Products		Isc Isc bind
References		https://downloads.isc.org/isc/bind9/9.20.21 https://downloads.isc.org/isc/bind9/9.21.20 https://kb.isc.org/docs/cve-2026-3119
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Isc Bind

MITRE

Status: PUBLISHED

Assigner: isc

Published: 2026-03-25T13:31:54.806Z

Updated: 2026-03-25T14:13:54.588Z

Reserved: 2026-02-24T12:29:14.561Z

Link: CVE-2026-3119

Vulnrichment

Updated: 2026-03-25T14:13:48.560Z

NVD

Status : Awaiting Analysis

Published: 2026-03-25T14:16:37.097

Modified: 2026-03-25T15:41:33.977

Link: CVE-2026-3119

Redhat

Severity : Moderate

Publid Date: 2026-03-25T13:31:54Z

Links: CVE-2026-3119 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-26T12:13:26Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object