CVE-2026-3591 PUBLISHED

A stack use-after-return flaw in SIG(0) handling code may enable ACL bypass

Assigner: isc
Reserved: 05.03.2026 Published: 25.03.2026 Updated: 25.03.2026

A use-after-return vulnerability exists in the named server when handling DNS queries signed with SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly (mis)match an IP address. In a default-allow ACL (denying only specific IP addresses), this may lead to unauthorized access. Default-deny ACLs should fail-secure. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CVSS Score: 5.4

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	ISC
Product	BIND 9
Versions	Default: unaffected affected from 9.20.0 to 9.20.20 (incl.) affected from 9.21.0 to 9.21.19 (incl.) affected from 9.20.9-S1 to 9.20.20-S1 (incl.) unaffected from 9.18.0 to 9.18.46 (incl.) unaffected from 9.18.11-S1 to 9.18.46-S1 (incl.)

Exploits

We are not aware of any active exploits.

Workarounds

No workarounds known.

Solutions

Upgrade to the patched release most closely related to your current version of BIND 9: 9.20.21, 9.21.20, or 9.20.21-S1.

Credits

ISC would like to thank Mcsky23 for bringing this vulnerability to our attention.

References

Problem Types

CWE-562 Return of Stack Variable Address CWE
CWE-305 Authentication Bypass by Primary Weakness CWE

Impacts

An attacker may be able to cause an ACL to improperly (mis)match an IP address. In a default-allow ACL (denying only specific IP addresses), this may lead to unauthorized access.