wid-sec-w-2026-0863 · Published 2026-03-25 · View on BSI CERT-Bund ↗

Internet Systems Consortium BIND: Multiple Vulnerabilities

CVSS 7.5 HIGH

Risk Summary

Under certain conditions, `named` may crash when processing a correctly signed query containing a TKEY record. The affected code can only be reached if an incoming request has a valid transaction signature (TSIG) from a key declared in the `named` configuration. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected. A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly (mis)match an IP address. In a default-allow ACL (denying only specific IP addresses), this may lead to unauthorized access. Default-deny ACLs should fail-secure. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.

CVEs (4)

CVE-2026-1519 CVE-2026-3104 CVE-2026-3119 CVE-2026-3591

Affected Vendors

Amazon Debian Fedora Internet Systems Consortium SUSE Ubuntu

Affected Products (6)

Internet Systems Consortium · BIND <9.18.47

Internet Systems Consortium · BIND 9.18.47

Internet Systems Consortium · BIND <9.20.21

Internet Systems Consortium · BIND 9.20.21

Internet Systems Consortium · BIND <9.21.20

Internet Systems Consortium · BIND 9.21.20

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more