Skip to main content

ISC BIND 9 CVE-2026-5947

| EUVDEUVD-2026-31110 MEDIUM
Race Condition (CWE-362)
2026-05-20 isc GHSA-6mm6-m775-chpm
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
7.5 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Severity Changed
Jun 30, 2026 - 03:24 NVD
HIGH MEDIUM
CVSS changed
Jun 30, 2026 - 03:24 NVD
7.5 (HIGH) 5.9 (MEDIUM)
Analysis Generated
May 20, 2026 - 13:33 vuln.today

DescriptionNVD

Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the "recursive-clients" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected.

AnalysisAI

Denial of service in ISC BIND 9 resolvers can be triggered when a SIG(0)-signed DNS message is dropped under recursive-clients pressure, creating a race that leads to a use-after-free on the discarded message buffer. Affects BIND 9.20.0-9.20.22, 9.21.0-9.21.21, and the 9.20.9-S1-9.20.22-S1 subscription branch; no public exploit identified at time of analysis and the issue is not on CISA KEV.

Technical ContextAI

BIND 9 is the Internet Systems Consortium's reference DNS server, widely deployed as an authoritative and recursive resolver. The flaw is a CWE-362 race condition between two concurrent code paths: the SIG(0) transaction-signature validator (RFC 2931), which performs asymmetric cryptographic verification on inbound DNS messages, and the recursive-clients quota enforcer, which discards in-flight client queries once the configured limit is exceeded. Because validation retains a pointer to the message buffer while the quota path frees it, the validator can dereference freed memory - a classic use-after-free arising from inadequate synchronization on a shared object lifecycle, scoped to the ISC bind_9 CPE (cpe:2.3:a:isc:bind_9).

RemediationAI

Vendor-released patch: upgrade to BIND 9.20.23 (https://downloads.isc.org/isc/bind9/9.20.23) or 9.21.22 (https://downloads.isc.org/isc/bind9/9.21.22), with subscription customers moving to the corresponding -S1 release per ISC KB at https://kb.isc.org/docs/cve-2026-5947. Where immediate patching is not possible, raising the recursive-clients limit well above sustained load reduces the likelihood of the quota-discard path firing during SIG(0) validation (trade-off: higher memory consumption and reduced protection against legitimate resolver flooding), and restricting which clients can reach the resolver via allow-query/ACLs or network filtering shrinks the unauthenticated attack surface (trade-off: only viable for internal or known-client resolvers, not open public resolvers). Disabling SIG(0) processing is not a supported toggle in BIND, so the patch is the only reliable fix.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.5 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed

Share

CVE-2026-5947 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy