Internet Systems Consortium (ISC) has disclosed a medium-severity vulnerability in BIND 9, tracked as CVE-2026-3591, that could allow remote attackers to bypass access control lists (ACLs) under specific conditions.
The flaw, rooted in a stack use-after-return condition, affects both authoritative DNS servers and recursive resolvers, raising concerns for enterprise and ISP environments relying on BIND for critical DNS operations.
The vulnerability exists in the named server component during the processing of DNS queries signed with SIG(0), a mechanism used for authenticating DNS messages.
According to ISC, a specially crafted DNS request can trigger a use-after-return flaw in memory handling, resulting in improper evaluation of client IP addresses against configured ACLs. This memory safety issue does not directly lead to code execution but introduces logic inconsistencies that can undermine access enforcement.
The primary security risk arises in environments that use default-allow ACL configurations, where only specific IP addresses are denied while all others are permitted.
In such setups, exploitation of CVE-2026-3591 may cause the ACL logic to misidentify a client’s IP address, effectively allowing unauthorized systems to bypass restrictions. Conversely, deployments using default-deny ACL policies are expected to fail securely, limiting the practical impact of the flaw.
ISC assigned the vulnerability a CVSS v3.1 score of 5.4, with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N, indicating low attack complexity and network-based exploitation with limited impact on confidentiality and integrity. No impact on availability has been observed.
Although the vulnerability requires some level of privileges (PR:L), the remote nature of exploitation makes it relevant in shared or multi-tenant environments where DNS access controls are critical.
Affected versions include BIND 9.20.0 through 9.20.20 and 9.21.0 through 9.21.19, along with corresponding Supported Preview Edition releases (9.20.9-S1 through 9.20.20-S1). Notably, the long-term support branch BIND 9.18.x remains unaffected, which may provide temporary relief for organizations still operating on stable deployments.
At the time of disclosure, ISC reported no evidence of active exploitation in the wild. However, given the relatively straightforward attack vector and the widespread deployment of BIND, security teams are advised to prioritize patching efforts. There are currently no known workarounds, making software updates the only effective mitigation strategy.
ISC has released patched versions addressing the issue, including BIND 9.20.21, 9.21.20, and 9.20.21-S1 for preview edition users.
Organizations are encouraged to upgrade to the nearest supported version to eliminate exposure. As part of standard hardening practices, administrators should also review ACL configurations, favoring default-deny models where feasible to reduce the risk of logic bypass vulnerabilities.
Security researcher Mcsky23 reported the flaw, and ISC has incorporated the fix into its latest maintenance releases following an early notification issued on March 18, 2026. Public disclosure occurred on March 25, 2026, alongside updated documentation in ISC’s vulnerability knowledge base.
While CVE-2026-3591 does not pose a critical threat, it highlights the continued importance of memory safety in network-facing services and the subtle ways in which low-level bugs can cascade into access-control weaknesses. For organizations operating DNS infrastructure, timely patching and robust ACL design remain essential to maintaining trust boundaries.
Site: cybersecuritypath.com
About the Author
