CVE-2026-5950 Overview
CVE-2026-5950 is a denial-of-service vulnerability in the Internet Systems Consortium (ISC) BIND 9 resolver. The flaw exists in the resolver state machine's bad-server handling logic, where specific retry conditions trigger an unbounded resend loop. A remote, unauthenticated attacker can issue crafted DNS queries that force the resolver into repeated retransmissions, exhausting CPU and network resources on the affected name server. The issue is categorized under [CWE-606]: Unchecked Input for Loop Condition. Affected releases span BIND 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, and the corresponding -S1 Supported Preview Edition builds.
Critical Impact
Remote, unauthenticated attackers can degrade or disrupt DNS resolution services across vulnerable BIND 9 recursive resolvers by triggering uncontrolled resend loops.
Affected Products
- ISC BIND 9.18.36 through 9.18.48 (including 9.18.36-S1 through 9.18.48-S1)
- ISC BIND 9.20.8 through 9.20.22 (including 9.20.9-S1 through 9.20.22-S1)
- ISC BIND 9.21.7 through 9.21.21
Discovery Timeline
- 2026-05-20 - CVE-2026-5950 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-5950
Vulnerability Analysis
The vulnerability resides in the BIND 9 recursive resolver state machine. When the resolver classifies an upstream authoritative server as "bad" during query processing, it transitions into a retry path designed to resend the query to alternative servers. Under specific conditions, the state machine fails to enforce an upper bound on this resend sequence. The resolver continues to issue outbound queries without converging on a terminal state.
An attacker triggers the condition by sending recursive queries that force the resolver into the affected retry branch. Each malicious query can multiply into a high volume of internal resends, consuming CPU cycles, file descriptors, and outbound query slots. Sustained exploitation results in service degradation or complete denial of DNS resolution for legitimate clients.
Root Cause
The root cause is an unchecked loop condition ([CWE-606]) inside the bad-server handling routine of the resolver. The retry counter or terminating predicate does not advance under the triggering input pattern, leaving the resolver in a tight resend loop bounded only by query timeouts rather than by an iteration cap.
Attack Vector
Exploitation requires only network access to a vulnerable recursive resolver. No authentication, user interaction, or local foothold is needed. Any client able to submit recursive DNS queries — including open resolvers and internal resolvers exposed to compromised hosts — can trigger the condition. Refer to the ISC CVE-2026-5950 Documentation for the precise triggering query semantics.
Detection Methods for CVE-2026-5950
Indicators of Compromise
- Sudden, sustained spikes in outbound DNS query volume from a recursive resolver toward a small set of authoritative servers.
- Elevated CPU utilization on named processes without a corresponding increase in client query volume.
- Repeated resolver log entries referencing bad-server classification, SERVFAIL responses, or timeouts for the same query name.
- Exhaustion of recursive client slots and growing recursive-clients queue depth.
Detection Strategies
- Baseline outbound-to-inbound query ratios on recursive resolvers and alert on deviations exceeding normal operating bands.
- Parse BIND query and resolver-debug logs for repetitive retry patterns tied to single client queries.
- Correlate named resource metrics (CPU, sockets, recursive clients) with network flow data to identify resend amplification.
Monitoring Recommendations
- Enable BIND statistics channel and export metrics such as Resolver stats and Queries In Progress to your monitoring stack.
- Monitor authoritative servers downstream for anomalous repeat-query volume that may indicate an upstream resolver caught in the loop.
- Forward named logs to a centralized log platform and build alerts for sustained SERVFAIL and timeout bursts per query tuple.
How to Mitigate CVE-2026-5950
Immediate Actions Required
- Upgrade BIND 9 to a fixed release: 9.18.49, 9.20.23, or 9.21.22 (or the corresponding -S1 build for Supported Preview Edition users).
- Restrict recursion to trusted client networks using allow-recursion and allow-query ACLs.
- Rate-limit recursive queries and outbound retries where the BIND configuration permits.
- Inventory all BIND instances, including container images and appliances that embed BIND, to confirm none run an affected version.
Patch Information
ISC has released fixed versions: ISC BIND 9.18.49 Release, ISC BIND 9.20.23 Release, and ISC BIND 9.21.22 Release. Operational guidance and the authoritative advisory are published in the ISC CVE-2026-5950 Documentation.
Workarounds
- No vendor-supplied configuration workaround eliminates the loop condition; upgrading is the supported remediation.
- Reduce exposure by ensuring recursive resolvers are not reachable from untrusted networks.
- Deploy redundant resolvers behind load balancing so a single overloaded instance does not collapse DNS service.
# Configuration example: restrict recursion to internal clients
acl "trusted" {
10.0.0.0/8;
192.168.0.0/16;
};
options {
allow-query { trusted; };
allow-recursion { trusted; };
recursive-clients 1000;
minimal-responses yes;
};
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
