CVE-2026-5947
Race Condition in BIND Leads to Use-After-Free
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: Internet Systems Consortium (ISC)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| isc | bind | From 9.20.0 (inc) to 9.20.22 (inc) |
| isc | bind | From 9.21.0 (inc) to 9.21.21 (inc) |
| isc | bind | From 9.20.9-S1 (inc) to 9.20.22-S1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-362 | The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently. |
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5947 is a high-severity vulnerability in BIND 9 versions 9.20.0 to 9.20.22, 9.21.0 to 9.21.21, and their Supported Preview Editions. It arises from a race condition during the validation of DNS messages signed with SIG(0). When the "recursive-clients" limit is reached during a query flood, some DNS messages are discarded. However, the SIG(0) validation process may still attempt to read these discarded messages, leading to a use-after-free violation and undefined behavior.
This can cause the BIND process to crash with a segmentation fault, although arbitrary code execution is unlikely. Both authoritative servers and resolvers running affected versions are impacted.
How can this vulnerability impact me? :
The primary impact of this vulnerability is that the BIND process may crash due to a segmentation fault caused by the use-after-free condition. This can lead to denial of service (DoS) as the DNS server or resolver becomes unavailable.
Although arbitrary code execution is unlikely, the instability can disrupt DNS services, affecting network reliability and availability for users and applications relying on the affected BIND servers.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability may cause the BIND process to crash with a segmentation fault due to a use-after-free condition triggered during SIG(0) signature validation under query flood conditions.
Detection can involve monitoring BIND logs and system logs for unexpected crashes or segmentation faults related to the named process.
There are no specific commands or active exploits known to detect this vulnerability directly.
General commands to check the BIND version installed on your system include:
- named -v
- dig +short chaos txt version.bind @localhost
Monitoring for frequent crashes or segmentation faults in system logs (e.g., using journalctl or /var/log/messages) may help identify if the vulnerability is being triggered.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade BIND to a patched version that addresses this vulnerability.
- Upgrade to BIND version 9.20.23, 9.21.22, or their Supported Preview Edition equivalents (9.20.23-S1).
There are no known workarounds or active exploits, so upgrading is the recommended immediate action.
Additionally, monitoring and limiting query floods that reach the "recursive-clients" limit may reduce the chance of triggering the race condition.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.