CVE-2026-3591 Overview
A use-after-return vulnerability exists in the ISC BIND named server when handling DNS queries signed with SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an Access Control List (ACL) to improperly match an IP address. In a default-allow ACL configuration (denying only specific IP addresses), this may lead to unauthorized access. Default-deny ACLs should fail-secure.
Critical Impact
Attackers can bypass IP-based access controls in BIND DNS servers configured with default-allow ACLs, potentially gaining unauthorized access to DNS services and resources.
Affected Products
- BIND 9 versions 9.20.0 through 9.20.20
- BIND 9 versions 9.21.0 through 9.21.19
- BIND 9 versions 9.20.9-S1 through 9.20.20-S1
Discovery Timeline
- 2026-03-25 - CVE CVE-2026-3591 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-3591
Vulnerability Analysis
This vulnerability is classified under CWE-305 (Authentication Bypass by Primary Weakness). The use-after-return condition occurs within the named server's handling of SIG(0)-signed DNS queries. When processing these specially-crafted requests, the server may reference memory on the stack after the function has returned, leading to unpredictable behavior in ACL evaluation.
The vulnerability specifically affects how IP addresses are matched against ACL rules. When an attacker sends a malformed SIG(0)-signed DNS query, the ACL evaluation logic may use stale stack data, causing IP addresses to be incorrectly matched or mismatched against ACL entries.
The network-based attack vector allows remote exploitation without user interaction, though authentication is required. The impact primarily affects confidentiality and integrity through unauthorized access to DNS services.
Root Cause
The root cause is a use-after-return memory safety issue in the SIG(0) query processing code path. When the named server processes DNS queries with SIG(0) signatures, certain stack-allocated variables are referenced after the function scope ends. This results in ACL matching logic operating on corrupted or unpredictable memory contents, leading to authentication bypass conditions where IP-based restrictions may be incorrectly evaluated.
Attack Vector
The attack requires network access to a vulnerable BIND server. An attacker can exploit this vulnerability by:
- Crafting a DNS query with a specially-constructed SIG(0) signature
- Sending the malicious query to a target BIND named server
- Triggering the use-after-return condition during ACL evaluation
- Bypassing IP-based access restrictions if the server uses a default-allow ACL configuration
The vulnerability specifically targets the authentication and authorization mechanism within BIND's ACL processing. Servers configured with default-deny ACLs are less impacted as they fail-secure, while default-allow configurations are vulnerable to unauthorized access.
For detailed technical information about the exploitation mechanism, refer to the ISC CVE-2026-3591 Documentation.
Detection Methods for CVE-2026-3591
Indicators of Compromise
- Unusual DNS queries with SIG(0) signatures from unexpected source IP addresses
- DNS server log entries showing ACL evaluation anomalies or unexpected access grants
- Increased volume of signed DNS queries targeting the named server
- Access to DNS resources from IP addresses that should be blocked by ACL rules
Detection Strategies
- Monitor DNS query logs for SIG(0)-signed requests from untrusted sources
- Implement network-level monitoring for anomalous DNS traffic patterns
- Review BIND server logs for unexpected ACL match results or authentication events
- Deploy intrusion detection rules to identify malformed SIG(0) query signatures
Monitoring Recommendations
- Enable detailed query logging in BIND configuration to capture SIG(0) signed requests
- Set up alerts for DNS access from IP addresses that should be denied by ACL rules
- Monitor for sudden changes in DNS query patterns or unauthorized zone transfers
- Implement network flow analysis to detect reconnaissance activity targeting DNS infrastructure
How to Mitigate CVE-2026-3591
Immediate Actions Required
- Upgrade BIND to version 9.20.21 or 9.21.20 immediately
- Review and audit current ACL configurations for default-allow patterns
- Consider switching to default-deny ACL configurations where possible
- Monitor DNS server logs for suspicious SIG(0) query activity until patching is complete
Patch Information
ISC has released patched versions that address this vulnerability. Organizations should upgrade to:
- BIND 9.20.21 for the 9.20.x branch
- BIND 9.21.20 for the 9.21.x branch
Note that BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected by this vulnerability.
For complete details, consult the ISC CVE-2026-3591 Documentation.
Workarounds
- Implement default-deny ACL configurations instead of default-allow patterns
- Restrict network access to the DNS server using firewall rules at the perimeter
- Disable SIG(0) support if not required for your environment
- Use additional authentication mechanisms for sensitive DNS operations
# Example: Convert default-allow ACL to default-deny configuration
# Before (vulnerable pattern):
# acl "trusted" { !192.168.1.100; any; };
# After (fail-secure pattern):
# acl "trusted" { 10.0.0.0/8; 172.16.0.0/12; };
#
# In named.conf, use explicit allow lists:
# allow-query { trusted; };
# allow-transfer { none; };
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
