Unbounded Resend Loop Vulnerability in BIND 9 Resolver by ISC
CVE-2026-5950

5.3MEDIUM

Key Information:

Vendor: Isc
Status: Bind 9
Vendor: CVE Published:; 20 May 2026

Badges

👾 Exploit Exists

What is CVE-2026-5950?

A vulnerability exists in the BIND 9 resolver state machine that can lead to an unbounded resend loop during the handling of bad servers. This allows remote unauthenticated attackers to send specially crafted queries that trigger retries, potentially leading to severe resource exhaustion on affected systems. This issue impacts specific versions of BIND 9, including 9.18.36 to 9.18.48, 9.20.8 to 9.20.22, and 9.21.7 to 9.21.21.

Affected Version(s)

BIND 9 9.18.36 <= 9.18.48

BIND 9 9.20.8 <= 9.20.22

BIND 9 9.21.7 <= 9.21.21

References

https://kb.isc.org/docs/cve-2026-5950

vendor-advisory

https://downloads.isc.org/isc/bind9/9.18.49

patch

https://downloads.isc.org/isc/bind9/9.20.23

patch

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

👾
Exploit known to exist
May 20, 2026
Vulnerability published
May 20, 2026
Vulnerability Reserved
Apr 9, 2026

Credit

ISC would like to thank Billy Baraja (BielraX) for bringing this vulnerability to our attention.

CVE-2026-5950 Data

JSON

Isc

Badges

What is CVE-2026-5950?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit