CVE-2026-3591 is a use-after-return vulnerability identified in the ISC BIND 9 DNS server software, specifically affecting versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and their corresponding S1 variants. The vulnerability arises in the 'named' server component when processing DNS queries signed with SIG(0), a DNS security extension used for transaction signatures. The flaw involves the server returning the address of a stack variable that is no longer valid, leading to undefined behavior during ACL evaluation. This can cause an ACL to incorrectly match an IP address, potentially allowing unauthorized clients to bypass IP-based access restrictions. The issue is particularly impactful in default-allow ACL configurations, where only specific IPs are denied, as the mis-match can grant unintended access. Conversely, default-deny ACLs, which deny all except explicitly allowed IPs, tend to fail-secure, reducing risk. The vulnerability does not affect earlier stable branches such as 9.18.x. The CVSS v3.1 base score is 5.4 (medium), reflecting network attack vector, low attack complexity, required privileges, and no user interaction. No public exploits or active exploitation have been reported to date. The root cause is classified under CWE-562 (return of stack variable address), indicating a programming error leading to use-after-return conditions. The vulnerability underscores the risks of subtle memory handling bugs in critical DNS infrastructure software.

This vulnerability can lead to unauthorized access to DNS server functions or data by bypassing IP-based ACL restrictions, potentially allowing attackers to query or manipulate DNS records that should be restricted. For organizations relying on default-allow ACLs, this could expose sensitive DNS configurations or enable DNS cache poisoning or spoofing attacks, undermining network security and trust. The impact is primarily on confidentiality and integrity of DNS operations, with no direct availability impact reported. Exploitation requires network access and low privileges but no user interaction, making it feasible for remote attackers within the network perimeter or exposed DNS servers. Given BIND's widespread use in enterprise, ISP, and public DNS infrastructure, the vulnerability could affect critical internet infrastructure globally if exploited. However, the absence of known exploits and the medium severity score suggest the risk is moderate but should not be ignored, especially in high-security environments.

Organizations should upgrade affected BIND 9 versions to patched releases once available from ISC. In the interim, administrators should audit and modify ACL configurations to use default-deny policies rather than default-allow, minimizing the risk of unauthorized access due to ACL mis-matches. Additionally, disabling SIG(0) signing on DNS queries if not required can reduce exposure. Network segmentation and firewall rules should restrict access to DNS servers to trusted IP ranges only. Monitoring DNS server logs for unusual ACL matches or unexpected query patterns may help detect exploitation attempts. Applying secure coding practices and memory safety checks in future BIND releases is recommended by ISC. Finally, organizations should maintain up-to-date inventories of DNS server versions and configurations to quickly identify and remediate vulnerable instances.