CVE-2026-5950

Vulnerability

An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling. When a resolver receives queries that trigger specific retry conditions, it enters an infinite loop of resending queries to a misbehaving server, leading to severe resource exhaustion. This affects BIND 9 versions 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, and the corresponding Supported Preview Edition versions 9.18.36-S1 through 9.18.48-S1 and 9.20.9-S1 through 9.20.22-S1 [1]. Authoritative services are believed to be unaffected [1].

Exploitation

A remote unauthenticated attacker can exploit this vulnerability by sending crafted DNS queries to a vulnerable resolver. No authentication or prior access is required. The attacker triggers the bad-server handling code path, causing the resolver to repeatedly resend queries in an unbounded loop, consuming CPU and memory resources [1]. No user interaction is needed.

Impact

Successful exploitation results in severe resource exhaustion on the affected resolver, leading to denial of service (DoS). The resolver may become unresponsive or crash, disrupting DNS resolution for legitimate clients. The vulnerability does not allow data compromise or privilege escalation; the impact is limited to availability [1].

Mitigation

ISC has released patched versions on 20 May 2026: 9.18.49, 9.20.23, and 9.21.22 for the main branch, and 9.18.49-S1 and 9.20.23-S1 for the Supported Preview Edition [1]. These are available for download from the ISC website [2][3][4]. No workarounds are known [1]. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of publication.