A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly (mis)match an IP address. In a default-allow ACL (denying only specific IP addresses), this may lead to unauthorized access. Default-deny ACLs should fail-secure. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.

The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-01c20fe8ca advisory.

    # Update to 9.21.20 (rhbz#2440560)

    ## Security Fixes:

    - Fix unbounded NSEC3 iterations when validating referrals to unsigned delegations.
    ([CVE-2026-1519](https://kb.isc.org/docs/cve-2026-1519))
    - Fix memory leaks in code preparing DNSSEC proofs of non-existence.
    ([CVE-2026-3104](https://kb.isc.org/docs/cve-2026-3104))
    - Prevent a crash in code processing queries containing a TKEY record.
    ([CVE-2026-3119](https://kb.isc.org/docs/cve-2026-3119))
    - Fix a stack use-after-return flaw in SIG(0) handling code.
    ([CVE-2026-3591](https://kb.isc.org/docs/cve-2026-3591))

    ## New Features:

    - Provide response round-trip time (RTT) counters via statistics channel.
    - Introduce max-delegation-servers configuration option.

    ## Bug Fixes:

    - Fix parsing key inactivation time in KASP code.
    - Fix the handling of key statements defined inside views.

    # Update to 9.21.19

    ## Security Fixes:

    - Fix a use-after-free error in dns_client_resolve() triggered by a DNAME response.
    - Fix a NULL pointer dereference in qp-trie cache code.
    - Immediately remove purged ADB names and entries from the SIEVE list.

    ## Feature Changes:

    - Record query time for all dnstap responses.
    - Optimize TCP source port selection on Linux.

    and multiple bug fixes.

    # Update to 9.21.18

    ## Feature Changes:

    - Enable minimal ANY answers by default.
    - Lowercase the NSEC Next Domain Name field.
    - Update requirements for system test suite.

    ## Bug Fixes:

    - Make catalog zone names and member zones' entry names case-insensitive. [GL #5693]
    - Fix implementation of BRID and HHIT record types. [GL #5710]
    - Fix implementation of DSYNC record type. [GL #5711]
    - Fix response policy and catalog zones to work with $INCLUDE directive.

    Source: https://downloads.isc.org/isc/bind9/9.21.20/doc/arm/html/notes.html#notes-for-bind-9-21-20


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES16 / SLES_SAP16 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:21204-1 advisory.

    - Update to release 9.20.21
    - CVE-2026-1519: maliciously crafted DNSSEC-validated zone can lead to denial of service (bsc#1260805).
    - CVE-2026-3104: memory leak in code preparing DNSSEC proofs of non-existence allows for DoS     (bsc#1260567).
    - CVE-2026-3119: authenticated queries containing a TKEY record may cause `named` to terminate     unexpectedly (bsc#1260568).
    - CVE-2026-3591: stack use-after-return flaw in SIG(0) handling code allows for ACL bypass (bsc#1260569).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20550-1 advisory.

    - Update to release 9.20.21
    - CVE-2026-1519: maliciously crafted DNSSEC-validated zone can lead to denial of service (bsc#1260805).
    - CVE-2026-3104: memory leak in code preparing DNSSEC proofs of non-existence allows for DoS     (bsc#1260567).
    - CVE-2026-3119: authenticated queries containing a TKEY record may cause `named` to terminate     unexpectedly (bsc#1260568).
    - CVE-2026-3591: stack use-after-return flaw in SIG(0) handling code allows for ACL bypass (bsc#1260569).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1351-1 advisory.

    Security issues:

    - CVE-2026-1519: maliciously crafted DNSSEC-validated zone can lead to denial of service (bsc#1260805).
    - CVE-2026-3104: memory leak in code preparing DNSSEC proofs of non-existence allows for DoS     (bsc#1260567).
    - CVE-2026-3119: authenticated queries containing a TKEY record may cause `named` to terminate     unexpectedly       (bsc#1260568).
    - CVE-2026-3591: stack use-after-return flaw in SIG(0) handling code allows for ACL bypass (bsc#1260569).
    - use-after-free error in `dns_client_resolve()` triggered by a DNAME response (bsc#1259202).

    Upgrade to release 9.20.21      Security Fixes:
     * Fix unbounded NSEC3 iterations when validating referrals to      unsigned delegations.
     (CVE-2026-1519)      [bsc#1260805]
     * Fix memory leaks in code preparing DNSSEC proofs of      non-existence.
     (CVE-2026-3104)      [bsc#1260567]
     * Prevent a crash in code processing queries containing a TKEY      record.
     (CVE-2026-3119)      [bsc#1260568]
     * Fix a stack use-after-return flaw in SIG(0) handling code.
     (CVE-2026-3591)      [bsc#1260569]
     * Fix a use-after-free error in dns_client_resolve() triggered by      a DNAME response. This issue only affected the delv tool and it      has now been fixed.
     [bsc#1259202]      Feature Changes:
     * Record query time for all dnstap responses.
     * Optimize TCP source port selection on Linux.
     Bug Fixes:
     * Fix the handling of key statements defined inside views.
     * Fix an assertion failure triggered by non-minimal IXFRs.
     * Fix a crash when retrying a NOTIFY over TCP.
     * Fetch loop detection improvements.
     * Randomize nameserver selection.
     * Fix dnstap logging of forwarded queries.
     * A stale answer could have been served in case of multiple      upstream failures when following CNAME chains. This has been      fixed.
     * Fail DNSKEY validation when supported but invalid DS is found.
     * Importing an invalid SKR file might corrupt stack memory.
     * Return FORMERR for queries with the EDNS Client Subnet FAMILY      field set to 0.
     * Fix inbound IXFR performance regression.
     * Make catalog zone names and member zones' entry names      case-insensitive.
     * Fix implementation of BRID and HHIT record types.
     * Fix implementation of DSYNC record type.
     * Fix response policy and catalog zones to work with $INCLUDE      directive.

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 42 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-bcc66a29da advisory.

    # Update to 9.21.20 (rhbz#2440560)

    ## Security Fixes:

    - Fix unbounded NSEC3 iterations when validating referrals to unsigned delegations.
    ([CVE-2026-1519](https://kb.isc.org/docs/cve-2026-1519))
    - Fix memory leaks in code preparing DNSSEC proofs of non-existence.
    ([CVE-2026-3104](https://kb.isc.org/docs/cve-2026-3104))
    - Prevent a crash in code processing queries containing a TKEY record.
    ([CVE-2026-3119](https://kb.isc.org/docs/cve-2026-3119))
    - Fix a stack use-after-return flaw in SIG(0) handling code.
    ([CVE-2026-3591](https://kb.isc.org/docs/cve-2026-3591))

    ## New Features:

    - Provide response round-trip time (RTT) counters via statistics channel.
    - Introduce max-delegation-servers configuration option.

    ## Bug Fixes:

    - Fix parsing key inactivation time in KASP code.
    - Fix the handling of key statements defined inside views.

    # Update to 9.21.19

    ## Security Fixes:

    - Fix a use-after-free error in dns_client_resolve() triggered by a DNAME response.
    - Fix a NULL pointer dereference in qp-trie cache code.
    - Immediately remove purged ADB names and entries from the SIEVE list.

    ## Feature Changes:

    - Record query time for all dnstap responses.
    - Optimize TCP source port selection on Linux.

    and multiple bug fixes.

    # Update to 9.21.18

    ## Feature Changes:

    - Enable minimal ANY answers by default.
    - Lowercase the NSEC Next Domain Name field.
    - Update requirements for system test suite.

    ## Bug Fixes:

    - Make catalog zone names and member zones' entry names case-insensitive. [GL #5693]
    - Fix implementation of BRID and HHIT record types. [GL #5710]
    - Fix implementation of DSYNC record type. [GL #5711]
    - Fix response policy and catalog zones to work with $INCLUDE directive.

    Source: https://downloads.isc.org/isc/bind9/9.21.20/doc/arm/html/notes.html#notes-for-bind-9-21-20



Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-a6efefa854 advisory.

    # Update to 9.21.20 (rhbz#2440560)

    ## Security Fixes:

    - Fix unbounded NSEC3 iterations when validating referrals to unsigned delegations.
    ([CVE-2026-1519](https://kb.isc.org/docs/cve-2026-1519))
    - Fix memory leaks in code preparing DNSSEC proofs of non-existence.
    ([CVE-2026-3104](https://kb.isc.org/docs/cve-2026-3104))
    - Prevent a crash in code processing queries containing a TKEY record.
    ([CVE-2026-3119](https://kb.isc.org/docs/cve-2026-3119))
    - Fix a stack use-after-return flaw in SIG(0) handling code.
    ([CVE-2026-3591](https://kb.isc.org/docs/cve-2026-3591))

    ## New Features:

    - Provide response round-trip time (RTT) counters via statistics channel.
    - Introduce max-delegation-servers configuration option.

    ## Bug Fixes:

    - Fix parsing key inactivation time in KASP code.
    - Fix the handling of key statements defined inside views.

    # Update to 9.21.19

    ## Security Fixes:

    - Fix a use-after-free error in dns_client_resolve() triggered by a DNAME response.
    - Fix a NULL pointer dereference in qp-trie cache code.
    - Immediately remove purged ADB names and entries from the SIEVE list.

    ## Feature Changes:

    - Record query time for all dnstap responses.
    - Optimize TCP source port selection on Linux.

    and multiple bug fixes.

    # Update to 9.21.18

    ## Feature Changes:

    - Enable minimal ANY answers by default.
    - Lowercase the NSEC Next Domain Name field.
    - Update requirements for system test suite.

    ## Bug Fixes:

    - Make catalog zone names and member zones' entry names case-insensitive. [GL #5693]
    - Fix implementation of BRID and HHIT record types. [GL #5710]
    - Fix implementation of DSYNC record type. [GL #5711]
    - Fix response policy and catalog zones to work with $INCLUDE directive.

    Source: https://downloads.isc.org/isc/bind9/9.21.20/doc/arm/html/notes.html#notes-for-bind-9-21-20


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 12 / 13 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-6181 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-6181-1                   security@debian.org     https://www.debian.org/security/                     Salvatore Bonaccorso     March 27, 2026                        https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : bind9     CVE ID         : CVE-2026-1519 CVE-2026-3104 CVE-2026-3119 CVE-2026-3591

    Several vulnerabilities were discovered in BIND, a DNS server     implementation, which may result in bypass of ACL restrictions or denial     of service.

    For the oldstable distribution (bookworm), these problems have been     fixed in version 1:9.18.47-1~deb12u1. The oldstable distribution is only     affected by CVE-2026-1519.

    For the stable distribution (trixie), these problems have been fixed in     version 1:9.20.21-1~deb13u1.

    We recommend that you upgrade your bind9 packages.

    For the detailed security status of bind9 please refer to its security     tracker page at:
    https://security-tracker.debian.org/tracker/bind9

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 22.04 LTS / 24.04 LTS / 25.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-8124-1 advisory.

    Samy Medjahed discovered that Bind incorrectly handled insecure delegation validation. A remote attacker     could possibly use this issue to cause excessive NSEC3 iterations, consuming CPU resources, and leading to     a denial of service. (CVE-2026-1519)

    Vitaly Simonovich discovered that Bind incorrectly handled memory when preparing DNSSEC proofs of non-     existence. A remote attacker could possibly use this issue to cause memory consumption, leading to a     denial of service. This issue only affected Ubuntu 25.10. (CVE-2026-3104)

    Vitaly Simonovich discovered that Bind incorrectly handled authenticated queries containing TKEY records.
    A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service.
    This issue only affected Ubuntu 25.10. (CVE-2026-3119)

    It was discovered that Bind incorrectly handled DNS queries signed with SIG(0). A remote attacker could     possibly use this issue to bypass ACLs. This issue only affected Ubuntu 25.10. (CVE-2026-3591)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with     SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly     (mis)match an IP address. In a default-allow ACL (denying only specific IP addresses), this may lead to     unauthorized access. Default-deny ACLs should fail-secure. This issue affects BIND 9 versions 9.20.0     through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through     9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected. (CVE-2026-3591)

Note that Nessus relies on the presence of the package as reported by the vendor.

The version of ISC BIND installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the cve-2026-3591 advisory.

  - A use-after-return vulnerability exists in the  named  server when handling DNS queries signed with     SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly     (mis)match an IP address. In a default-allow ACL (denying only specific IP addresses), this may lead to     unauthorized access. Default-deny ACLs should fail-secure.An attacker may be able to cause an ACL to     improperly (mis)match an IP address.  In a default-allow ACL (denying only specific IP addresses), this     may lead to unauthorized access.         -  Authoritative servers are affected by this vulnerability.
    -  Resolvers are affected by this vulnerability.  Authoritative servers are affected by this     vulnerability. Resolvers are affected by this vulnerability. (CVE-2026-3591)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
310877	Fedora 44 : bind9-next (2026-01c20fe8ca)	Nessus	Fedora Local Security Checks	high
309162	SUSE SLES16 Security Update : bind (SUSE-SU-2026:21204-1)	Nessus	SuSE Local Security Checks	high
309140	openSUSE 16 Security Update : bind (openSUSE-SU-2026:20550-1)	Nessus	SuSE Local Security Checks	high
306694	SUSE SLED15 / SLES15 Security Update : bind (SUSE-SU-2026:1351-1)	Nessus	SuSE Local Security Checks	high
304939	Fedora 42 : bind9-next (2026-bcc66a29da)	Nessus	Fedora Local Security Checks	high
304848	Fedora 43 : bind9-next (2026-a6efefa854)	Nessus	Fedora Local Security Checks	high
304021	Debian dsa-6181 : bind9 - security update	Nessus	Debian Local Security Checks	high
304016	Ubuntu 22.04 LTS / 24.04 LTS / 25.10 : Bind vulnerabilities (USN-8124-1)	Nessus	Ubuntu Local Security Checks	high
303721	Linux Distros Unpatched Vulnerability : CVE-2026-3591	Nessus	Misc.	high
303596	ISC BIND 9.20.0 < 9.20.21 / 9.20.9-S1 < 9.20.21-S1 / 9.21.0 < 9.21.20 Vulnerability (cve-2026-3591)	Nessus	DNS	medium

Detections

Analytics

CVE-2026-3591

medium

Tenable Plugins

high

high

high

high

high

high

high

high

high

medium