Use-After-Return in ISC BIND 9 named for SIG(0) (9.20.020, 9.21.019, 9.20.9S120)
CVE-2026-3591 Published on March 25, 2026
A stack use-after-return flaw in SIG(0) handling code may enable ACL bypass
A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly (mis)match an IP address. In a default-allow ACL (denying only specific IP addresses), this may lead to unauthorized access. Default-deny ACLs should fail-secure.
This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1.
BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.
Vulnerability Analysis
CVE-2026-3591 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Weakness Types
Return of Stack Variable Address
A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash. Because local variables are allocated on the stack, when a program returns a pointer to a local variable, it is returning a stack address. A subsequent function call is likely to re-use this same stack address, thereby overwriting the value of the pointer, which no longer corresponds to the same variable since a function's stack frame is invalidated when it returns. At best this will cause the value of the pointer to change unexpectedly. In many cases it causes the program to crash the next time the pointer is dereferenced.
Authentication Bypass by Primary Weakness
The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.
Products Associated with CVE-2026-3591
stack.watch emails you whenever new vulnerabilities are published in ISC BIND or Canonical Ubuntu Linux. Just hit a watch button to start following.
Affected Versions
ISC BIND 9:- Version 9.20.0, <= 9.20.20 is affected.
- Version 9.21.0, <= 9.21.19 is affected.
- Version 9.20.9-S1, <= 9.20.20-S1 is affected.
- Version 9.18.0, <= 9.18.46 is unaffected.
- Version 9.18.11-S1, <= 9.18.46-S1 is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.