CVE-2026-5947
Analyzed Analyzed - Analysis Complete
Race Condition in BIND Leads to Use-After-Free

Publication date: 2026-05-20

Last updated on: 2026-05-21

Assigner: Internet Systems Consortium (ISC)

Description
Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the "recursive-clients" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-21
Generated
2026-06-10
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-5947
EUVD
EUVD-2026-31110
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
isc bind From 9.20.0 (inc) to 9.20.23 (exc)
isc bind From 9.21.0 (inc) to 9.21.22 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-5947 is a high-severity vulnerability in BIND 9 versions 9.20.0 to 9.20.22, 9.21.0 to 9.21.21, and their Supported Preview Editions. It arises from a race condition during the validation of DNS messages signed with SIG(0). When the "recursive-clients" limit is reached during a query flood, some DNS messages are discarded. However, the SIG(0) validation process may still attempt to read these discarded messages, leading to a use-after-free violation and undefined behavior.

This can cause the BIND process to crash with a segmentation fault, although arbitrary code execution is unlikely. Both authoritative servers and resolvers running affected versions are impacted.

Impact Analysis

The primary impact of this vulnerability is that the BIND process may crash due to a segmentation fault caused by the use-after-free condition. This can lead to denial of service (DoS) as the DNS server or resolver becomes unavailable.

Although arbitrary code execution is unlikely, the instability can disrupt DNS services, affecting network reliability and availability for users and applications relying on the affected BIND servers.

Detection Guidance

This vulnerability may cause the BIND process to crash with a segmentation fault due to a use-after-free condition triggered during SIG(0) signature validation under query flood conditions.

Detection can involve monitoring BIND logs and system logs for unexpected crashes or segmentation faults related to the named process.

There are no specific commands or active exploits known to detect this vulnerability directly.

General commands to check the BIND version installed on your system include:

  • named -v
  • dig +short chaos txt version.bind @localhost

Monitoring for frequent crashes or segmentation faults in system logs (e.g., using journalctl or /var/log/messages) may help identify if the vulnerability is being triggered.

Mitigation Strategies

The primary mitigation step is to upgrade BIND to a patched version that addresses this vulnerability.

  • Upgrade to BIND version 9.20.23, 9.21.22, or their Supported Preview Edition equivalents (9.20.23-S1).

There are no known workarounds or active exploits, so upgrading is the recommended immediate action.

Additionally, monitoring and limiting query floods that reach the "recursive-clients" limit may reduce the chance of triggering the race condition.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5947. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart