CVE-2026-3119 ISC CVE debrief

Who should care

Operators of ISC BIND 9 instances in the affected 9.20.x and 9.21.x branches, especially environments that accept TSIG-signed requests or use TKEY-related workflows. Administrators of BIND 9.18.x do not appear to be affected based on the vendor/NVD data provided.

Technical summary

The issue is a crash in `named` triggered during processing of a correctly signed DNS query containing a TKEY record. Per the vendor description, the vulnerable code is reachable only if the request includes a valid TSIG tied to a key configured in `named`, which lowers exposure but still leaves a network-reachable availability impact. NVD maps the issue to CVSS 3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H and CWE-617.

Defensive priority

Medium. Patch sooner rather than later if you run affected BIND 9 9.20.x or 9.21.x builds and accept TSIG-authenticated traffic. If your deployment does not use TSIG with BIND, exposure is narrower, but the affected versions should still be upgraded on a normal maintenance cycle.

Recommended defensive actions

• Upgrade affected BIND 9 9.20.x systems to 9.20.21 or later.
• Upgrade affected BIND 9 9.21.x systems to 9.21.20 or later.
• Review whether your `named` configuration accepts TSIG keys from trusted peers and inventory any TKEY-related workflows.
• Confirm that any deployment on BIND 9.18.x is tracked separately; the supplied vendor data says 9.18.0-9.18.46 and 9.18.11-S1-9.18.46-S1 are not affected.
• After upgrading, verify the service restarts cleanly and monitor DNS service availability for unexpected crashes or log errors.

Evidence notes

All substantive claims here come from the supplied CVE description and NVD vendor metadata: the crash condition, the TSIG/TKEY reachability requirement, the affected and non-affected version ranges, the CVSS vector, and the CWE mapping. Patch references and the vendor advisory are listed in the official NVD references. No exploit steps or reproduction details are included.

Official resources