Description
Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the "recursive-clients" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message.
This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1.
BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected.
Published: 2026-05-20
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in ISC BIND 9 arises from a race condition that can trigger a use‑after‑free violation during SIG(0) validation when a query flood drops the message that is under validation. This race opens the possibility of undefined behaviour, which can manifest as a crash or, in the worst case, arbitrary code execution if the attacker can supply crafted input and force the use‑after‑free. The flaw is triggered when the recursive‑clients limit is hit, a state that can be induced by a denial‑of‑service style flood of DNS queries signed with SIG(0).

Affected Systems

Affected products are ISC BIND 9, specifically versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9‑S1 through 9.20.22‑S1. Versions 9.18.28 through 9.18.49 and their ‑S1 counterparts are not vulnerable. Users running any of the listed releases should review their deployment to confirm whether they are within the affected range.

Risk and Exploitability

The CVSS score of 7.5 marks this issue as high severity, and its use‑after‑free nature suggests that an attacker could achieve remote code execution if the flaw is leveraged, though there are no publicly known exploits or KEV listing. The EPSS score is not available, indicating uncertainty about the prevalence of exploitation attempts. The most likely attack path requires an external entity to feed a large volume of SIG(0) signed queries to saturate the recursive‑clients limit, at which point a race condition may lead to the use‑after‑free. Because the flaw depends on a specific network load state, mitigations centre on patching rather than blocking traffic.

Generated by OpenCVE AI on May 20, 2026 at 14:35 UTC.

Remediation

Vendor Solution

Upgrade to the patched release most closely related to your current version of BIND 9: 9.20.23, 9.21.22, or 9.20.23-S1.

Vendor Workaround

No workarounds known.

OpenCVE Recommended Actions

  • Update ISC BIND 9 to a patched release (9.20.23, 9.21.22 or 9.20.23‑S1) from the ISC download site.
  • Restart the BIND service to load the new binaries.
  • Monitor BIND logs for abnormal behaviour and verify that DNS queries are processed normally after the upgrade.

Generated by OpenCVE AI on May 20, 2026 at 14:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6285-1 bind9 security update
History

Wed, 20 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 13:15:00 +0000

Type Values Removed Values Added
Description Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the "recursive-clients" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected.
Title SIG(0) validation during query flood may lead to undefined behavior
First Time appeared Isc
Isc bind
Weaknesses CWE-362
CWE-416
CPEs cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*
Vendors & Products Isc
Isc bind
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Isc Bind
cve-icon MITRE

Status: PUBLISHED

Assigner: isc

Published:

Updated: 2026-05-20T13:39:38.654Z

Reserved: 2026-04-09T06:40:58.672Z

Link: CVE-2026-5947

cve-icon Vulnrichment

Updated: 2026-05-20T13:39:19.676Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-20T13:16:40.303

Modified: 2026-05-20T14:04:57.320

Link: CVE-2026-5947

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T16:00:06Z

Weaknesses