A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly (mis)match an IP address. In a default-allow ACL (denying only specific IP addresses), this may lead to unauthorized access. Default-deny ACLs should fail-secure. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.

The remote Fedora 42 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-bcc66a29da advisory.

    # Update to 9.21.20 (rhbz#2440560)

    ## Security Fixes:

    - Fix unbounded NSEC3 iterations when validating referrals to unsigned delegations.
    ([CVE-2026-1519](https://kb.isc.org/docs/cve-2026-1519))
    - Fix memory leaks in code preparing DNSSEC proofs of non-existence.
    ([CVE-2026-3104](https://kb.isc.org/docs/cve-2026-3104))
    - Prevent a crash in code processing queries containing a TKEY record.
    ([CVE-2026-3119](https://kb.isc.org/docs/cve-2026-3119))
    - Fix a stack use-after-return flaw in SIG(0) handling code.
    ([CVE-2026-3591](https://kb.isc.org/docs/cve-2026-3591))

    ## New Features:

    - Provide response round-trip time (RTT) counters via statistics channel.
    - Introduce max-delegation-servers configuration option.

    ## Bug Fixes:

    - Fix parsing key inactivation time in KASP code.
    - Fix the handling of key statements defined inside views.

    # Update to 9.21.19

    ## Security Fixes:

    - Fix a use-after-free error in dns_client_resolve() triggered by a DNAME response.
    - Fix a NULL pointer dereference in qp-trie cache code.
    - Immediately remove purged ADB names and entries from the SIEVE list.

    ## Feature Changes:

    - Record query time for all dnstap responses.
    - Optimize TCP source port selection on Linux.

    and multiple bug fixes.

    # Update to 9.21.18

    ## Feature Changes:

    - Enable minimal ANY answers by default.
    - Lowercase the NSEC Next Domain Name field.
    - Update requirements for system test suite.

    ## Bug Fixes:

    - Make catalog zone names and member zones' entry names case-insensitive. [GL #5693]
    - Fix implementation of BRID and HHIT record types. [GL #5710]
    - Fix implementation of DSYNC record type. [GL #5711]
    - Fix response policy and catalog zones to work with $INCLUDE directive.

    Source: https://downloads.isc.org/isc/bind9/9.21.20/doc/arm/html/notes.html#notes-for-bind-9-21-20



Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-a6efefa854 advisory.

    # Update to 9.21.20 (rhbz#2440560)

    ## Security Fixes:

    - Fix unbounded NSEC3 iterations when validating referrals to unsigned delegations.
    ([CVE-2026-1519](https://kb.isc.org/docs/cve-2026-1519))
    - Fix memory leaks in code preparing DNSSEC proofs of non-existence.
    ([CVE-2026-3104](https://kb.isc.org/docs/cve-2026-3104))
    - Prevent a crash in code processing queries containing a TKEY record.
    ([CVE-2026-3119](https://kb.isc.org/docs/cve-2026-3119))
    - Fix a stack use-after-return flaw in SIG(0) handling code.
    ([CVE-2026-3591](https://kb.isc.org/docs/cve-2026-3591))

    ## New Features:

    - Provide response round-trip time (RTT) counters via statistics channel.
    - Introduce max-delegation-servers configuration option.

    ## Bug Fixes:

    - Fix parsing key inactivation time in KASP code.
    - Fix the handling of key statements defined inside views.

    # Update to 9.21.19

    ## Security Fixes:

    - Fix a use-after-free error in dns_client_resolve() triggered by a DNAME response.
    - Fix a NULL pointer dereference in qp-trie cache code.
    - Immediately remove purged ADB names and entries from the SIEVE list.

    ## Feature Changes:

    - Record query time for all dnstap responses.
    - Optimize TCP source port selection on Linux.

    and multiple bug fixes.

    # Update to 9.21.18

    ## Feature Changes:

    - Enable minimal ANY answers by default.
    - Lowercase the NSEC Next Domain Name field.
    - Update requirements for system test suite.

    ## Bug Fixes:

    - Make catalog zone names and member zones' entry names case-insensitive. [GL #5693]
    - Fix implementation of BRID and HHIT record types. [GL #5710]
    - Fix implementation of DSYNC record type. [GL #5711]
    - Fix response policy and catalog zones to work with $INCLUDE directive.

    Source: https://downloads.isc.org/isc/bind9/9.21.20/doc/arm/html/notes.html#notes-for-bind-9-21-20


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 12 / 13 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-6181 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-6181-1                   security@debian.org     https://www.debian.org/security/                     Salvatore Bonaccorso     March 27, 2026                        https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : bind9     CVE ID         : CVE-2026-1519 CVE-2026-3104 CVE-2026-3119 CVE-2026-3591

    Several vulnerabilities were discovered in BIND, a DNS server     implementation, which may result in bypass of ACL restrictions or denial     of service.

    For the oldstable distribution (bookworm), these problems have been     fixed in version 1:9.18.47-1~deb12u1. The oldstable distribution is only     affected by CVE-2026-1519.

    For the stable distribution (trixie), these problems have been fixed in     version 1:9.20.21-1~deb13u1.

    We recommend that you upgrade your bind9 packages.

    For the detailed security status of bind9 please refer to its security     tracker page at:
    https://security-tracker.debian.org/tracker/bind9

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 22.04 LTS / 24.04 LTS / 25.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-8124-1 advisory.

    Samy Medjahed discovered that Bind incorrectly handled insecure delegation validation. A remote attacker     could possibly use this issue to cause excessive NSEC3 iterations, consuming CPU resources, and leading to     a denial of service. (CVE-2026-1519)

    Vitaly Simonovich discovered that Bind incorrectly handled memory when preparing DNSSEC proofs of non-     existence. A remote attacker could possibly use this issue to cause memory consumption, leading to a     denial of service. This issue only affected Ubuntu 25.10. (CVE-2026-3104)

    Vitaly Simonovich discovered that Bind incorrectly handled authenticated queries containing TKEY records.
    A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service.
    This issue only affected Ubuntu 25.10. (CVE-2026-3119)

    It was discovered that Bind incorrectly handled DNS queries signed with SIG(0). A remote attacker could     possibly use this issue to bypass ACLs. This issue only affected Ubuntu 25.10. (CVE-2026-3591)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with     SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly     (mis)match an IP address. In a default-allow ACL (denying only specific IP addresses), this may lead to     unauthorized access. Default-deny ACLs should fail-secure. This issue affects BIND 9 versions 9.20.0     through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through     9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected. (CVE-2026-3591)

Note that Nessus relies on the presence of the package as reported by the vendor.

The version of ISC BIND installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the cve-2026-3591 advisory.

  - A use-after-return vulnerability exists in the  named  server when handling DNS queries signed with     SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly     (mis)match an IP address. In a default-allow ACL (denying only specific IP addresses), this may lead to     unauthorized access. Default-deny ACLs should fail-secure.An attacker may be able to cause an ACL to     improperly (mis)match an IP address.  In a default-allow ACL (denying only specific IP addresses), this     may lead to unauthorized access.         -  Authoritative servers are affected by this vulnerability.
    -  Resolvers are affected by this vulnerability.  Authoritative servers are affected by this     vulnerability. Resolvers are affected by this vulnerability. (CVE-2026-3591)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
304939	Fedora 42 : bind9-next (2026-bcc66a29da)	Nessus	Fedora Local Security Checks	high
304848	Fedora 43 : bind9-next (2026-a6efefa854)	Nessus	Fedora Local Security Checks	high
304021	Debian dsa-6181 : bind9 - security update	Nessus	Debian Local Security Checks	high
304016	Ubuntu 22.04 LTS / 24.04 LTS / 25.10 : Bind vulnerabilities (USN-8124-1)	Nessus	Ubuntu Local Security Checks	high
303721	Linux Distros Unpatched Vulnerability : CVE-2026-3591	Nessus	Misc.	medium
303596	ISC BIND 9.20.0 < 9.20.21 / 9.20.9-S1 < 9.20.21-S1 / 9.21.0 < 9.21.20 Vulnerability (cve-2026-3591)	Nessus	DNS	medium

Detections

Analytics

CVE-2026-3591

medium

Tenable Plugins

high

high

high

high

medium

medium