Description
An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions.
This issue affects BIND 9 versions 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, 9.18.36-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.
Published: 2026-05-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unbounded resend loop in the resolver state machine during bad-server handling, which allows a remote unauthenticated attacker to send specially crafted queries that trigger retry conditions. This vulnerability is a CWE-606 type flaw (Missing Input Validation) and a CWE-835 type flaw (Uncontrolled Loop or Recursion) and causes the resolver to repeatedly send and receive answers, rapidly consuming CPU, memory, and network bandwidth. The impact is a denial of service at the system or network level, degrading the availability of the DNS service and potentially impacting downstream clients that rely on it.

Affected Systems

BIND 9, a DNS server developed by ISC. The affected releases are 9.18.36‑48, 9.20.8‑22, 9.21.7‑21 and their corresponding security‑fixed branches. Systems running any of these versions are vulnerable.

Risk and Exploitability

The CVSS score of 5.3 reflects moderate severity, with an EPSS score of <1% and the issue not listed in the CISA KEV catalog. The likely attack vector, inferred from the description, is a remote attacker sending DNS queries over the network to a BIND 9 instance that can be reached without authentication. Once the retry loop is triggered, the BIND instance will consume resources until the process stalls or the system becomes unresponsive. The exploit requires no special privileges and can be executed purely by sending network traffic to the target.

Generated by OpenCVE AI on May 26, 2026 at 13:50 UTC.

Remediation

Vendor Solution

Upgrade to the patched release most closely related to your current version of BIND 9: 9.18.49, 9.20.23, 9.21.22, 9.18.49-S1, or 9.20.23-S1.

Vendor Workaround

No workarounds known.

OpenCVE Recommended Actions

  • Apply the latest patched BIND 9 release as listed in the vendor’s advisory (9.18.49, 9.20.23, 9.21.22, 9.18.49‑S1, or 9.20.23‑S1).
  • Reload or restart BIND after applying the patch to ensure the new binaries are in use.
  • Configure the firewall or BIND itself to limit recursive query traffic from untrusted networks, applying rate‑limiting rules or disabling recursion for external clients until the patch is fully deployed.

Generated by OpenCVE AI on May 26, 2026 at 13:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6285-1 bind9 security update
Ubuntu USN Ubuntu USN USN-8293-1 Bind vulnerabilities
History

Tue, 26 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-835
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 21 May 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:*

Wed, 20 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 13:15:00 +0000

Type Values Removed Values Added
Description An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions. This issue affects BIND 9 versions 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, 9.18.36-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.
Title Unbounded resend loop in BIND 9 resolver
First Time appeared Isc
Isc bind
Weaknesses CWE-606
CPEs cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*
Vendors & Products Isc
Isc bind
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Isc Bind
cve-icon MITRE

Status: PUBLISHED

Assigner: isc

Published:

Updated: 2026-05-20T13:38:53.211Z

Reserved: 2026-04-09T06:42:23.953Z

Link: CVE-2026-5950

cve-icon Vulnrichment

Updated: 2026-05-20T13:38:44.672Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-20T13:16:40.450

Modified: 2026-05-21T15:24:34.667

Link: CVE-2026-5950

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-26T03:43:54Z

Links: CVE-2026-5950 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T14:00:06Z

Weaknesses
  • CWE-606

    Unchecked Input for Loop Condition

  • CWE-835

    Loop with Unreachable Exit Condition ('Infinite Loop')