Description
A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly (mis)match an IP address. In a default-allow ACL (denying only specific IP addresses), this may lead to unauthorized access. Default-deny ACLs should fail-secure.
This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1.
BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.
Published: 2026-03-25
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Acl Bypass, Unauthorized Access
Action: Immediate Patch
AI Analysis

Impact

A use‑after‑return flaw exists in the named DNS server when processing SIG(0) signed queries. By sending a specially crafted DNS request, an attacker can cause the server to mis‑match an IP address against an ACL. In configurations that allow all traffic except for explicitly denied addresses, this flaw could let the attacker bypass access controls and gain unauthorized access.

Affected Systems

The vulnerability impacts ISC BIND 9 DNS server versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and the 9.20.9‑S1 through 9.20.20‑S1 releases. Versions 9.18.0–9.18.46 and 9.18.11‑S1–9.18.46‑S1 are not affected.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. No EPSS score is available, and the flaw is not listed in CISA’s KEV catalog. The flaw can be triggered by any remote DNS query that reaches the vulnerable server, which an attacker can generate from any network with access to the server. Successful exploitation would result in ACL mis‑matching, allowing traffic that should be denied, potentially enabling unauthorized access to services behind the DNS server. The risk is present in deployments that rely on default‑allow ACLs and does not require local compromise of the system.

Generated by OpenCVE AI on March 26, 2026 at 04:23 UTC.

Remediation

Vendor Solution

Upgrade to the patched release most closely related to your current version of BIND 9: 9.20.21, 9.21.20, or 9.20.21-S1.

Vendor Workaround

No workarounds known.

OpenCVE Recommended Actions

  • Upgrade to one of the ISC‑released patched BIND versions 9.20.21, 9.21.20, or 9.20.21‑S1

Generated by OpenCVE AI on March 26, 2026 at 04:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6181-1 bind9 security update
Ubuntu USN Ubuntu USN USN-8124-1 Bind vulnerabilities
History

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 25 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
Description A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly (mis)match an IP address. In a default-allow ACL (denying only specific IP addresses), this may lead to unauthorized access. Default-deny ACLs should fail-secure. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.
Title A stack use-after-return flaw in SIG(0) handling code may enable ACL bypass
First Time appeared Isc
Isc bind
Weaknesses CWE-305
CWE-562
CPEs cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*
Vendors & Products Isc
Isc bind
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Isc Bind
cve-icon MITRE

Status: PUBLISHED

Assigner: isc

Published:

Updated: 2026-03-25T14:13:01.659Z

Reserved: 2026-03-05T12:50:58.915Z

Link: CVE-2026-3591

cve-icon Vulnrichment

Updated: 2026-03-25T14:12:54.940Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T14:16:37.297

Modified: 2026-03-25T15:41:33.977

Link: CVE-2026-3591

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-25T13:34:14Z

Links: CVE-2026-3591 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:13:25Z

Weaknesses