Skip to main content

ISC BIND 9 CVE-2026-5950

| EUVDEUVD-2026-31109 MEDIUM
Unchecked Input for Loop Condition (CWE-606)
2026-05-20 isc GHSA-2pjm-rchf-gxmp
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
SUSE
MEDIUM
qualitative
Red Hat
5.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 20, 2026 - 13:36 vuln.today

DescriptionCVE.org

An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions. This issue affects BIND 9 versions 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, 9.18.36-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.

AnalysisAI

Resource exhaustion in ISC BIND 9's resolver state machine allows remote unauthenticated attackers to trigger an unbounded resend loop by sending crafted DNS queries that activate bad-server retry conditions, degrading resolver availability. Multiple active release branches are affected across standard and Subscription Edition builds spanning versions 9.18.36 through 9.21.21. No public exploit has been identified and the vulnerability is not listed in CISA KEV; however, the fully network-accessible, zero-authentication attack vector makes every exposed BIND 9 resolver a potential target.

Technical ContextAI

BIND 9, maintained by the Internet Systems Consortium (ISC) and identified by CPE cpe:2.3:a:isc:bind_9:*:*:*:*:*:*:*:*, is the most widely deployed DNS resolver and authoritative nameserver implementation in production environments. The vulnerability resides in the resolver state machine's bad-server handling path - a subsystem that tracks unresponsive or misbehaving upstream nameservers and schedules query retries. CWE-606 (Unchecked Input for Loop Condition) identifies the root cause class: the loop termination condition governing the resend/retry logic is not properly bounded, allowing the resolver to cycle through retries indefinitely when specific query conditions are met. This class of defect is particularly impactful in stateful network daemons because the loop consumes process resources proportional to query volume and duration without a natural exit, unlike a crash-type vulnerability. Both standard and Subscription Edition (S1) BIND 9 builds share the same resolver state machine codebase and are equally affected.

RemediationAI

The primary fix is to upgrade BIND 9 to a patched release issued by ISC. Patched versions are available for all affected branches: 9.18.49 at https://downloads.isc.org/isc/bind9/9.18.49, 9.20.23 at https://downloads.isc.org/isc/bind9/9.20.23, and 9.21.22 at https://downloads.isc.org/isc/bind9/9.21.22. Subscription Edition users should obtain the corresponding S1 patch builds through ISC's subscription channel. If immediate patching is operationally infeasible, reduce attack surface by tightening recursive resolver access: configure allow-recursion and allow-query-cache ACLs in named.conf to restrict query acceptance to known trusted client IP ranges, preventing untrusted network actors from reaching the vulnerable state machine path - note this will break resolution for any legitimate clients outside the ACL scope. Additionally, configuring DNS rate limiting via the rate-limit clause in named.conf can reduce the volume of concurrent exploit attempts, though it may also affect throughput for legitimate high-volume query sources. These are compensating controls only; they do not fix the underlying loop condition. The ISC advisory at https://kb.isc.org/docs/cve-2026-5950 should be consulted for any additional mitigations or configuration guidance.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.5 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed

Share

CVE-2026-5950 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy