Description
Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the "recursive-clients" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message.
This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1.
BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected.
Published: 2026-05-20
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A race condition in ISC BIND 9 can cause a use‑after‑free during SIG(0) validation when a DNS query that is being validated is discarded due to the recursive‑clients limit being reached. The resulting undefined behavior may manifest as a program crash or other erratic behavior within the DNS server process.

Affected Systems

ISC BIND 9 is affected for a range of releases: 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and the versions 9.20.9‑S1 through 9.20.22‑S1. Releases 9.18.28 through 9.18.49 and their ‑S1 counterparts are not vulnerable. Users should verify whether the installed BIND version falls within the exposed intervals.

Risk and Exploitability

The CVSS score of 7.5 classifies this vulnerability as high severity, but the EPSS score (< 1%) indicates a very low likelihood of exploitation in the wild and it is not listed in CISA’s KEV catalog. The flaw can be triggered only when a flooding attack with SIG(0) signed queries saturates the recursive‑client limit, creating a narrow timing window for the race. Though no publicly known exploits exist, the undefined behavior could lead to crashes or more severe issues if an attacker can supply crafted input during the race.

Generated by OpenCVE AI on May 22, 2026 at 02:23 UTC.

Remediation

Vendor Solution

Upgrade to the patched release most closely related to your current version of BIND 9: 9.20.23, 9.21.22, or 9.20.23-S1.

Vendor Workaround

No workarounds known.

OpenCVE Recommended Actions

  • Update ISC BIND 9 to a patched release (9.20.23, 9.21.22 or 9.20.23‑S1) from the ISC download site.
  • Restart the BIND service to load the updated binaries.
  • Monitor BIND logs for abnormal behavior and verify that DNS queries are processed normally after the upgrade.

Generated by OpenCVE AI on May 22, 2026 at 02:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6285-1 bind9 security update
Ubuntu USN Ubuntu USN USN-8293-1 Bind vulnerabilities
History

Fri, 22 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 21 May 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:*

Wed, 20 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 13:15:00 +0000

Type Values Removed Values Added
Description Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the "recursive-clients" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected.
Title SIG(0) validation during query flood may lead to undefined behavior
First Time appeared Isc
Isc bind
Weaknesses CWE-362
CWE-416
CPEs cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*
Vendors & Products Isc
Isc bind
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Isc Bind
cve-icon MITRE

Status: PUBLISHED

Assigner: isc

Published:

Updated: 2026-05-20T13:39:38.654Z

Reserved: 2026-04-09T06:40:58.672Z

Link: CVE-2026-5947

cve-icon Vulnrichment

Updated: 2026-05-20T13:39:19.676Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-20T13:16:40.303

Modified: 2026-05-21T15:24:32.997

Link: CVE-2026-5947

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-21T12:15:50Z

Links: CVE-2026-5947 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T02:30:16Z

Weaknesses