CVE-2026-3119 PUBLISHED

Authenticated query containing a TKEY record may cause named to terminate unexpectedly

Assigner: isc
Reserved: 24.02.2026 Published: 25.03.2026 Updated: 25.03.2026

Under certain conditions, named may crash when processing a correctly signed query containing a TKEY record. The affected code can only be reached if an incoming request has a valid transaction signature (TSIG) from a key declared in the named configuration. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 6.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	Low	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	ISC
Product	BIND 9
Versions	Default: unaffected affected from 9.20.0 to 9.20.20 (incl.) affected from 9.21.0 to 9.21.19 (incl.) affected from 9.20.9-S1 to 9.20.20-S1 (incl.) unaffected from 9.18.0 to 9.18.46 (incl.) unaffected from 9.18.11-S1 to 9.18.46-S1 (incl.)

Exploits

We are not aware of any active exploits.

Workarounds

Remove any TSIG keys that might be used by an attacker.

Solutions

Upgrade to the patched release most closely related to your current version of BIND 9: 9.20.21, 9.21.20, or 9.20.21-S1.

Credits

ISC would like to thank Vitaly Simonovich for bringing this vulnerability to our attention.