PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-3591 ISC CVE debrief

CVE-2026-3591 is a vulnerability in ISC BIND’s named server when processing DNS queries signed with SIG(0). A specially crafted request can trigger a use-after-return that may cause an ACL to mis-match an IP address. The practical risk is greatest in default-allow ACL deployments that only deny specific IPs, because the bug may let traffic through that should have been blocked. ISC has provided fixed releases, and the 9.18 branch is documented as not affected.

Vendor
ISC
Product
BIND 9
CVSS
MEDIUM 5.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-25
Original CVE updated
2026-05-21
Advisory published
2026-03-25
Advisory updated
2026-05-21

Who should care

DNS and infrastructure teams running ISC BIND 9, especially operators using SIG(0) and default-allow ACLs. Security teams responsible for external DNS services, recursive resolvers, or environments where access control decisions are enforced by named should also review exposure.

Technical summary

The issue is a use-after-return in named during SIG(0)-signed DNS query handling. According to the vendor and NVD record, the flaw can lead to incorrect ACL evaluation, including an IP address being mis-matched against an ACL entry. That can produce unauthorized access in default-allow configurations. NVD lists the vulnerability as CVSS 3.1 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) with associated weakness tags CWE-305 and CWE-562. Affected versions are BIND 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. The vendor also states that BIND 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are not affected.

Defensive priority

Medium. The issue is network-reachable and has an available fix, but the documented impact is limited and default-deny ACLs should fail secure. Prioritize systems that use SIG(0) and default-allow ACLs.

Recommended defensive actions

  • Upgrade to the vendor-fixed releases: BIND 9.20.21 or later in the 9.20 branch, and BIND 9.21.20 or later in the 9.21 branch.
  • If you are on BIND 9.18.0 through 9.18.46 or 9.18.11-S1 through 9.18.46-S1, the vendor record says this issue does not apply; still verify your deployed build and package origin.
  • Review ACL configurations on named instances that accept SIG(0)-signed requests, with extra attention to default-allow rules that deny only selected IP addresses.
  • Validate whether any external or internal clients rely on SIG(0) for administrative access, and test after upgrading to confirm ACL behavior is unchanged except for the fix.
  • Track the vendor advisory and patch references for rollout guidance and any follow-on maintenance notes.

Evidence notes

The debrief is based on the NVD CVE record and ISC’s linked vendor advisory and patch downloads. The CVE description states a use-after-return in named while handling SIG(0)-signed DNS queries, with possible ACL IP mis-matches and unauthorized access in default-allow ACLs. NVD’s analyzed record lists affected CPE ranges ending before 9.20.21 and 9.21.20, and it includes CVSS 3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N plus CWE-305 and CWE-562. ISC’s references provide fixed versions 9.20.21 and 9.21.20, and the vendor advisory states that the 9.18 series is not affected. CVE publication time used here is 2026-03-25, with the source modified on 2026-05-21.

Official resources

Publicly disclosed on 2026-03-25, with the record modified on 2026-05-21. Vendor patches and advisory links are available in the official references.