216.73.216.133

CVE-2026-3591

· Published 25/03/2026 14:16 · Modified 25/03/2026 15:41

Labels: CVE-2026-3591 2026-03-25CVE-2026-3591CWE-305[email protected]

Essential information

Published
25/03/2026 14:16
Modified
25/03/2026 15:41
Author
Creator
CVSS
5.4 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CVSS metrics

Description

A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly (mis)match an IP address. In a default-allow ACL (denying only specific IP addresses), this may lead to unauthorized access. Default-deny ACLs should fail-secure. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
isc / bind cpe:2.3:a:isc:bind:9.20.0-9.20.20:*:*:*:*:*:*:*
isc / bind cpe:2.3:a:isc:bind:9.21.0-9.21.19:*:*:*:*:*:*:*
isc / bind cpe:2.3:a:isc:bind:9.20.9-S1-9.20.20-S1:*:*:*:*:*:*:*

References