CVE-2026-5947 Overview
CVE-2026-5947 is a race condition vulnerability in ISC BIND 9 that leads to a use-after-free violation [CWE-362]. When BIND receives an incoming DNS message signed with SIG(0), it initiates signature validation. If the recursive-clients limit is reached during validation, such as during a query flood, the DNS message is discarded. A brief window exists where the SIG(0) validation routine may attempt to read the now-freed DNS message.
The flaw affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. Versions in the 9.18.x branch are not affected. Remote attackers can trigger the condition without authentication by sending SIG(0)-signed DNS traffic under load.
Critical Impact
A remote unauthenticated attacker can crash BIND 9 resolvers by sending SIG(0)-signed DNS messages while the server is under recursive query load, causing denial of service on DNS infrastructure.
Affected Products
- ISC BIND 9 versions 9.20.0 through 9.20.22
- ISC BIND 9 versions 9.21.0 through 9.21.21
- ISC BIND 9 Supported Preview Edition 9.20.9-S1 through 9.20.22-S1
Discovery Timeline
- 2026-05-20 - CVE CVE-2026-5947 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-5947
Vulnerability Analysis
The vulnerability is a use-after-free condition triggered by a race between two concurrent code paths in named. SIG(0) is a transaction signature mechanism defined in RFC 2931 that authenticates individual DNS messages using public key cryptography. When named receives a SIG(0)-signed message, it allocates resources to perform signature validation against the sender's key.
Validation is not instantaneous. While the cryptographic check proceeds, the resolver continues to accept other client traffic. If the configured recursive-clients quota is exceeded during this window, BIND's quota enforcement frees the in-flight DNS message to reclaim resources. The SIG(0) validation path holds no synchronization reference to the message buffer and may dereference freed memory when it resumes.
The outcome is undefined behavior, typically resulting in named aborting or crashing. This produces a denial-of-service condition on the resolver. The vulnerability impacts availability only; confidentiality and integrity are not affected.
Root Cause
The root cause is missing synchronization between the SIG(0) validation worker and the recursive-clients quota enforcement path. Both paths reference the same DNS message structure, but no lifetime guarantee protects the buffer for the duration of validation. The 9.18.x branch does not share the affected code path and is therefore unaffected.
Attack Vector
A remote attacker sends DNS queries signed with SIG(0) to a vulnerable BIND 9 resolver. The attacker concurrently generates enough query volume to push the resolver past its recursive-clients limit. The race window is small but reachable from the network without authentication, user interaction, or prior access.
No public proof-of-concept exploit is available. Refer to the ISC CVE-2026-5947 Documentation for the vendor's technical write-up.
Detection Methods for CVE-2026-5947
Indicators of Compromise
- Unexpected named process termination or restart events on resolvers running affected BIND 9 versions.
- Log entries indicating the recursive-clients quota has been reached, correlated with crashes or service restarts.
- Bursts of inbound DNS traffic containing SIG(0) signatures, particularly from unfamiliar sources.
Detection Strategies
- Monitor named exit codes, core dumps, and systemd or service-manager restart counters for the BIND service.
- Inspect DNS query logs for inbound messages carrying SIG(0) records (RRSIG with key tag tied to a SIG(0) KEY) that arrive during periods of high query volume.
- Correlate clients-per-query and recursive-clients saturation warnings with subsequent resolver instability.
Monitoring Recommendations
- Track BIND statistics channel metrics, including RecursClients, query rates, and SERVFAIL counts, for sudden spikes.
- Forward named syslog output to a centralized logging platform and alert on crash signatures and quota-exhaustion messages.
- Apply network telemetry to identify sources sending SIG(0)-signed traffic, which is uncommon in most environments.
How to Mitigate CVE-2026-5947
Immediate Actions Required
- Upgrade BIND 9 to a fixed release: 9.20.23, 9.21.22, or the corresponding Supported Preview Edition build.
- Identify all resolvers running affected versions and prioritize internet-facing recursive servers.
- Restrict which clients may query recursive resolvers using allow-recursion to reduce exposure to anonymous attackers.
Patch Information
ISC has released fixed versions. Refer to the ISC BIND 9.20.23 Release and the ISC BIND 9.21.22 Release for source packages and release notes. Vendor-supplied package updates from Linux distributions should be applied once available.
Workarounds
- If patching is delayed, raise the recursive-clients limit on well-provisioned hardware to reduce quota exhaustion, while monitoring for memory pressure.
- Restrict inbound DNS traffic to trusted networks via firewall rules or allow-query ACLs where operationally feasible.
- Consider rolling back to BIND 9.18.x (9.18.28 through 9.18.49), which the vendor confirms is not affected, if upgrade testing for 9.20.23 or 9.21.22 is not yet complete.
# Verify installed BIND version
named -v
# Example named.conf hardening
options {
recursive-clients 3000;
allow-recursion { trusted_clients; };
allow-query { trusted_clients; };
};
acl trusted_clients {
10.0.0.0/8;
192.168.0.0/16;
localhost;
};
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
