VYPR
← All advisories
High severity7.5NVD Advisory· Published May 20, 2026· Updated May 20, 2026

CVE-2026-5947

CVE-2026-5947

Description

Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the "recursive-clients" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A race condition in BIND 9's SIG(0) validation can cause a use-after-free when the recursive-clients limit is reached during a query flood, leading to denial of service.

Vulnerability

A race condition exists in BIND 9's handling of DNS messages signed with SIG(0). When BIND receives such a message, it begins validation. If during that validation the recursive-clients limit is reached (as during a query flood), the message is discarded. There is a brief window where the SIG(0) validation may attempt to read the freed message, resulting in a use-after-free violation. This affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and BIND Supported Preview Edition 9.20.9-S1 through 9.20.22-S1. Versions 9.18.28 through 9.18.49 and their S1 counterparts are not affected [1].

Exploitation

An attacker can exploit this vulnerability remotely without authentication (CVSS: AV:N/PR:N/UI:N). The attacker sends DNS messages signed with SIG(0) to a vulnerable BIND server while simultaneously flooding the server with queries to reach the recursive-clients limit. The race window occurs after the server discards the message due to the limit but before the SIG(0) validation completes, causing the validation to read freed memory [1].

Impact

Successful exploitation leads to undefined behavior due to the use-after-free. The BIND process may abort with a segmentation violation or similar error, resulting in a denial of service. Code execution is considered unlikely. Both authoritative servers and resolvers are affected [1].

Mitigation

ISC has released patched versions 9.20.23 and 9.21.22 on 20 May 2026 [2][3]. Users should upgrade to the appropriate fixed release. No workarounds are available. Versions 9.18.28 through 9.18.49 are not affected and do not require an upgrade. No active exploits have been reported [1].

References
  1. CVE-2026-5947: SIG(0) validation during query flood may lead to undefined behavior
  2. Index of /isc/bind9/9.21.22
  3. Index of /isc/bind9/9.20.23

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Isc Projects/Bind9inferred
    Range: >=9.20.0,<=9.20.22 || >=9.21.0,<=9.21.21 || >=9.20.9-S1,<=9.20.22-S1
  • Isc/Bindllm-fuzzy
    Range: >=9.20.0 <=9.20.22 || >=9.21.0 <=9.21.21 || >=9.20.9-S1 <=9.20.22-S1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.