Description
An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions.
This issue affects BIND 9 versions 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, 9.18.36-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.
Published: 2026-05-20
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unbounded resend loop in the resolver state machine during bad-server handling, which allows a remote unauthenticated attacker to send specially crafted queries that trigger retry conditions. This vulnerability is a CWE-606 type flaw (Missing Input Validation) and causes the resolver to repeatedly send and receive answers, rapidly consuming CPU, memory, and network bandwidth. The impact is a denial of service at the system or network level, degrading the availability of the DNS service and potentially impacting downstream clients that rely on it.

Affected Systems

BIND 9, a DNS server developed by ISC. The affected releases are 9.18.36‑48, 9.20.8‑22, 9.21.7‑21 and their corresponding security‑fixed branches. Systems running any of these versions are vulnerable.

Risk and Exploitability

The CVSS score of 5.3 reflects moderate severity, with no EPSS information available and the issue not listed in the CISA KEV catalog. The likely attack vector, inferred from the description, is a remote attacker sending DNS queries over the network to a BIND 9 instance that can be reached without authentication. Once the retry loop is triggered, the BIND instance will consume resources until the process stalls or the system becomes unresponsive. The exploit requires no special privileges and can be executed purely by sending network traffic to the target.

Generated by OpenCVE AI on May 20, 2026 at 15:05 UTC.

Remediation

Vendor Solution

Upgrade to the patched release most closely related to your current version of BIND 9: 9.18.49, 9.20.23, 9.21.22, 9.18.49-S1, or 9.20.23-S1.

Vendor Workaround

No workarounds known.

OpenCVE Recommended Actions

  • Apply the latest patched BIND 9 release as listed in the vendor’s advisory (9.18.49, 9.20.23, 9.21.22, 9.18.49‑S1, or 9.20.23‑S1).
  • Reload or restart BIND after applying the patch to ensure the new binaries are in use.
  • Configure the firewall or BIND itself to limit recursive query traffic from untrusted networks, applying rate‑limiting rules or disabling recursion for external clients until the patch is fully deployed.

Generated by OpenCVE AI on May 20, 2026 at 15:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6285-1 bind9 security update
History

Wed, 20 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 13:15:00 +0000

Type Values Removed Values Added
Description An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions. This issue affects BIND 9 versions 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, 9.18.36-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.
Title Unbounded resend loop in BIND 9 resolver
First Time appeared Isc
Isc bind
Weaknesses CWE-606
CPEs cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*
Vendors & Products Isc
Isc bind
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Isc Bind
cve-icon MITRE

Status: PUBLISHED

Assigner: isc

Published:

Updated: 2026-05-20T13:38:53.211Z

Reserved: 2026-04-09T06:42:23.953Z

Link: CVE-2026-5950

cve-icon Vulnrichment

Updated: 2026-05-20T13:38:44.672Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-20T13:16:40.450

Modified: 2026-05-20T14:04:57.320

Link: CVE-2026-5950

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T19:00:06Z

Weaknesses