CVE-2026-3119 is a vulnerability identified in ISC BIND 9 DNS server software, specifically affecting versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and related service pack versions. The flaw is a reachable assertion failure (CWE-617) triggered when the 'named' daemon processes a DNS query containing a TKEY record that is correctly signed with a TSIG key declared in the server's configuration. This means the vulnerable code path is only reachable if the incoming request has a valid transaction signature from a trusted key, which restricts exploitation to entities with authorized access or knowledge of the TSIG keys. When triggered, the assertion failure causes the 'named' process to crash, resulting in a denial-of-service condition that disrupts DNS resolution services. The vulnerability does not affect confidentiality or integrity but impacts availability. The attack vector is network-based, with low complexity, requiring privileges (knowledge of TSIG keys), and no user interaction. No public exploits or active exploitation have been reported as of the publication date. The vulnerability does not affect earlier BIND 9.18.x versions, which remain unaffected. ISC has not yet published patches at the time of this report, so mitigation relies on configuration and operational controls. Given the critical role of BIND in DNS infrastructure globally, this vulnerability poses a risk to organizations running affected versions, especially those exposing TSIG keys for DNS transaction authentication.

The primary impact of CVE-2026-3119 is denial of service caused by the crash of the 'named' DNS server process. This can lead to DNS resolution failures for affected organizations, potentially disrupting internal and external network communications, application availability, and internet services dependent on DNS. Since exploitation requires valid TSIG keys, the risk is elevated in environments where TSIG keys are widely distributed or exposed, such as large enterprises, managed DNS providers, or multi-tenant hosting environments. Attackers with access to these keys could intentionally cause service outages, impacting business continuity and potentially leading to cascading failures in dependent systems. Although the vulnerability does not compromise data confidentiality or integrity, the availability impact on DNS infrastructure can be significant, especially for critical services relying on BIND. The lack of known exploits reduces immediate risk, but the medium severity score and ease of triggering the crash with valid credentials mean organizations should act promptly. The scope includes all affected BIND 9 versions in active use, which are widely deployed in government, enterprise, and ISP networks worldwide.

1. Upgrade BIND 9 to a fixed version once ISC releases patches addressing CVE-2026-3119. Monitor ISC advisories for patch availability. 2. Until patches are available, restrict access to TSIG keys strictly to trusted systems and personnel to minimize the risk of exploitation. 3. Review and tighten TSIG key management policies, including key rotation and limiting key distribution scope. 4. Implement network segmentation and firewall rules to limit which hosts can send TSIG-signed queries to the DNS servers. 5. Monitor DNS server logs for unusual TSIG-signed query patterns that could indicate exploitation attempts. 6. Consider deploying redundant DNS servers with unaffected versions (e.g., 9.18.x) or alternative DNS software to maintain availability during mitigation. 7. Use process supervision and automatic restart mechanisms for 'named' to reduce downtime if crashes occur. 8. Conduct internal penetration testing to validate the effectiveness of mitigations and identify any exposure of TSIG keys. These steps go beyond generic advice by focusing on TSIG key security, network controls, and operational resilience.