CVE-2026-5950

Published May 20, 2026

Last updated 17 days ago

CVSS medium 5.3

Overview

Description
An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions. This issue affects BIND 9 versions 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, 9.18.36-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.
Source
security-officer@isc.org
NVD status
Analyzed
Products
bind

Risk scores

CVSS 3.1

Type
Primary
Base score
5.3
Impact score
1.4
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Severity
MEDIUM

Weaknesses

security-officer@isc.org
CWE-606

Social media

Hype score
Not currently trending

  1. 【BINDに複数脆弱性、DNS運用者は更新確認を】 JVNは、BINDに複数の脆弱性が存在すると公表しました。 対象には CVE-2026-3039、CVE-2026-3592、CVE-2026-3593、CVE-2026-5946、CVE-2026-5947、CVE-2026-5950 が含まれ、サービス運用

    @01ra66it

    25 May 2026

    209 Impressions

    1 Retweet

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 【ISC BINDに複数脆弱性、DNS可用性への影響に注意】 JVNは、ISC BINDにおける複数の脆弱性を公開しました。対象にはCVE-2026-3039、CVE-2026-3592、CVE-2026-3593、CVE-2026-5946、CVE-2026-5947、CVE-2026-5950が含まれ、DoS、メモリ破

    @01ra66it

    23 May 2026

    167 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 【BIND 9に複数脆弱性、DNS運用者は更新確認を】 JVNは、ISC BINDにおける複数の脆弱性を公表しました。対象にはCVE-2026-3039、CVE-2026-3592、CVE-2026-3593、CVE-2026-5946、CVE-2026-5947、CVE-2026-5950が含まれます。

    @01ra66it

    21 May 2026

    202 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. JVNVU#99225456: ISC BINDにおける複数の脆弱性(2026年5月) https://t.co/CVPAVe4C8c "遠隔の攻撃者によって、サービス運用妨害(DoS)攻撃を引き起こされる(CVE-2026-3039、CVE-2026-3592、CVE-2026-5946、CVE-2026-5947、CVE-2026-5950)" h

    @catnap707

    21 May 2026

    181 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.CVE-2026-5946
  2. Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the "recursive-clients" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected.CVE-2026-5947
  3. BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resources. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.CVE-2026-3592
  4. BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. Typically these servers will be found in Active Directory integrated DNS deployments and/or Kerberos-secured DNS environments. This issue affects BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.CVE-2026-3039
  5. A use-after-free vulnerability exists within the DNS-over-HTTPS implementation. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected.CVE-2026-3593

References

Sources include official advisories and independent security research.