CVE-2026-5947

Summary

Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the "recursive-clients" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected.

Affected Software

VendorProductVersion RangeStatus
ISCBIND 99.20.0 <= 9.20.22affected
ISCBIND 99.21.0 <= 9.21.21affected
ISCBIND 99.20.9-S1 <= 9.20.22-S1affected
ISCBIND 99.18.28 <= 9.18.49unaffected
ISCBIND 99.18.28-S1 <= 9.18.49-S1unaffected

Weaknesses

  • CWE-362: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
  • CWE-416: CWE-416 Use After Free

Workarounds

No workarounds known.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

bind: SIG(0) validation during query flood may lead to undefined behavior

Additional References

References