CVE-2026-3591 in BIND
Summary
by MITRE • 03/25/2026
A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly (mis)match an IP address. In a default-allow ACL (denying only specific IP addresses), this may lead to unauthorized access. Default-deny ACLs should fail-secure. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/31/2026
The vulnerability described in CVE-2026-3591 represents a critical use-after-return flaw within the named DNS server implementation that specifically manifests when processing DNS queries signed with SIG(0) resource records. This particular vulnerability stems from improper memory management during the handling of authenticated DNS requests, creating a scenario where the application attempts to access memory that has already been deallocated or returned to the system. The flaw occurs within the DNS security infrastructure, specifically affecting the signature validation mechanism that BIND employs to verify the authenticity of DNS messages. The vulnerability is particularly concerning because it operates at the core of DNS authentication mechanisms, where the integrity of the security model directly impacts the overall network security posture of systems relying on BIND for DNS resolution services.
The technical exploitation of this vulnerability involves crafting a specially designed DNS query that contains malicious SIG(0) records, which when processed by the affected named server triggers the use-after-return condition. This memory access violation can result in unpredictable behavior including potential code execution or denial of service conditions. The flaw specifically impacts how the server evaluates access control lists when processing signed DNS queries, creating a scenario where IP address matching logic becomes compromised due to the memory corruption. The vulnerability's impact is particularly severe in default-allow ACL configurations where the server should reject unauthorized access attempts but instead may incorrectly permit connections due to the mis-matched IP address evaluation. This represents a fundamental breakdown in the security model where the server fails to properly validate access controls, potentially allowing unauthorized entities to bypass network security measures.
The operational impact of this vulnerability extends beyond simple service disruption to encompass potential security breaches within DNS infrastructure. Systems utilizing affected BIND versions with default-allow ACLs become vulnerable to unauthorized access attempts where malicious actors could exploit the flawed IP address matching logic to gain access to services that should be restricted. The vulnerability affects multiple release branches of BIND 9, specifically targeting versions from 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and the specific security release versions 9.20.9-S1 through 9.20.20-S1, while excluding older stable releases and some security patches. Organizations running these specific versions face a significant risk as the vulnerability directly undermines the fundamental security controls that protect DNS services from unauthorized access. The flaw essentially creates a bypass mechanism within the access control system, where the memory corruption affects the ACL evaluation process and can result in the server incorrectly determining whether a requesting IP address should be granted access to DNS services.
Mitigation strategies for this vulnerability require immediate patching of affected BIND server installations to versions that have addressed the memory management issues within the SIG(0) processing code. Organizations should prioritize upgrading to the latest stable releases of BIND 9 that contain fixes for this specific use-after-return condition. Additionally, system administrators should conduct thorough security reviews of their current ACL configurations, particularly focusing on default-allow policies that may be vulnerable to exploitation. Network segmentation and additional monitoring of DNS traffic can serve as compensating controls while awaiting patch deployment. The vulnerability's classification aligns with CWE-416, which addresses use-after-free errors in memory management, and relates to ATT&CK technique T1071.004 for DNS tunneling and command and control communications. Organizations should also implement network-based intrusion detection systems to monitor for suspicious DNS query patterns that may indicate exploitation attempts, as the vulnerability's exploitation could involve crafting malicious SIG(0) records designed to trigger the memory corruption condition during normal DNS operations.