CVE-2026-3591

EUVD-2026-15413

25.03.2026, 14:16

A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly (mis)match an IP address. In a default-allow ACL (denying only specific IP addresses), this may lead to unauthorized access. Default-deny ACLs should fail-secure.
This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1.
BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.4 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 6%

Debian Releases

Debian Product

Codename

bind9

bookworm	1:9.18.41-1~deb12u1 fixed
bookworm (security)	1:9.18.47-1~deb12u1 fixed
bullseye	1:9.16.50-1~deb11u2 fixed
bullseye (security)	1:9.16.50-1~deb11u5 fixed
forky	1:9.20.22-1 fixed
sid	1:9.20.22-1 fixed
trixie	vulnerable
trixie (security)	1:9.20.21-1~deb13u1 fixed

Ubuntu Releases

Ubuntu Product

Codename

bind9

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	not-affected
questing	Fixed 1:9.20.11-1ubuntu2.2 released
resolute	not-affected
trusty	not-affected
xenial	not-affected

isc-dhcp

bionic	needs-triage
focal	not-affected
jammy	not-affected
noble	needs-triage
questing	needs-triage
resolute	needs-triage
trusty	not-affected
xenial	not-affected

bind9-libs

focal	needs-triage
jammy	needs-triage
noble	dne
questing	dne
resolute	dne

openSUSE / SLES Releases

openSUSE Product

Release

bind

suse enterprise sap 15 SP7	9.20.21-150700.3.18.1 fixed
suse enterprise server 15 SP7	9.20.21-150700.3.18.1 fixed

bind-doc

suse enterprise sap 15 SP7	9.20.21-150700.3.18.1 fixed
suse enterprise server 15 SP7	9.20.21-150700.3.18.1 fixed

Common Weakness Enumeration

CWE-305 - Authentication Bypass by Primary Weakness
The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.

Vulnerability Media Exposure

[GERMAN] Internet Systems Consortium BIND: Mehrere Schwachstellen
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Internet Systems Consortium BIND ausnutzen, um einen Denial of Service Angriff durchzuführen oder Sicherheitsmaßnahmen zu umgehen.
Published: 2026-03-25T23:00:00+00:00

References

https://downloads.isc.org/isc/bind9/9.20.21

https://downloads.isc.org/isc/bind9/9.21.20

https://kb.isc.org/docs/cve-2026-3591