Race Condition Vulnerability in BIND 9 by ISC
CVE-2026-5947

7.5HIGH

Key Information:

Vendor: Isc
Status: Bind 9
Vendor: CVE Published:; 20 May 2026

Badges

👾 Exploit Exists

What is CVE-2026-5947?

A race condition in BIND 9 may lead to undefined behavior through a use-after-free violation when processing DNS messages signed with SIG(0). During the validation of the signature, if the 'recursive-clients' limit is hit, the corresponding DNS message can be discarded, leaving a window in which the validation process may erroneously reference memory from the now-discarded message. This vulnerability affects specific versions of BIND 9, highlighting the importance of updating to the latest secure versions to mitigate potential exploitation risks.

Affected Version(s)

BIND 9 9.20.0 <= 9.20.22

BIND 9 9.21.0 <= 9.21.21

BIND 9 9.20.9-S1 <= 9.20.22-S1

References

https://kb.isc.org/docs/cve-2026-5947

vendor-advisory

https://downloads.isc.org/isc/bind9/9.20.23

patch

https://downloads.isc.org/isc/bind9/9.21.22

patch

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

👾
Exploit known to exist
May 20, 2026
Vulnerability published
May 20, 2026
Vulnerability Reserved
Apr 9, 2026

Credit

ISC would like to thank Naoki Wakamatsu for bringing this vulnerability to our attention.

CVE-2026-5947 Data

JSON

Isc

Badges

What is CVE-2026-5947?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit