CVE-2026-5947EXPLOITEDPATCHED

isc · bind

SIG(0) validation during query flood may lead to undefined behavior

Description

Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the "recursive-clients" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected.

Affected Products

Vendor	Product	Versions
isc	bind	9.20.0, 9.21.0, 9.20.9-S1

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
internet systems consortium	bind	cert_advisory	90%

References

https://kb.isc.org/docs/cve-2026-5947(vendor-advisory)
https://downloads.isc.org/isc/bind9/9.20.23(patch)
https://downloads.isc.org/isc/bind9/9.21.22(patch)

Related News (5 articles)

Tier A

Microsoft MSRC3d ago

CVE-2026-5947 SIG(0) validation during query flood may lead to undefined behavior

→ No new info (linked only)

Tier B

BSI Advisories5d ago

[NEU] [mittel] Internet Systems Consortium BIND: Mehrere Schwachstellen

→ No new info (linked only)

Tier B

CERT-FR5d ago

Multiples vulnérabilités dans ISC BIND (21 mai 2026)

→ No new info (linked only)

Tier C

oss-security6d ago

ISC has disclosed six vulnerabilities in BIND 9 (CVE-2026-3039, CVE-2026-3592, CVE-2026-3593, CVE-2026-5946, CVE-2026-5947, CVE-2026-5950)

→ No new info (linked only)

Tier C

VulDB6d ago

CVE-2026-5947 | ISC BIND up to 9.21.21 DNS Message race condition

→ No new info (linked only)

CVSS 3.17.5 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

9.18.289.18.28-S1

CWECWE-362, CWE-416

PublishedMay 20, 2026

Last enriched5d agov3

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-1519

Excessive NSEC3 iterations cause high CPU load during insecure delegation validation

Trending: 53

HIGHCVE-2026-5946EXP

Invalid handling of CLASS != IN

Trending: 50

MEDIUMCVE-2026-3592EXP

Amplification vulnerabilities via self-pointed glue records

Trending: 45

MEDIUMCVE-2026-5950EXP

Unbounded resend loop in BIND 9 resolver

Trending: 45

HIGHCVE-2026-3039EXP

BIND 9 server memory exhaustion during GSS-API TKEY negotiation

Trending: 45

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 20, 2026

Discovered by ZDM

May 20, 2026

Updated: affectedVersions, severity, activelyExploited

May 20, 2026

Actively Exploited

May 20, 2026

Exploit Available

May 20, 2026

Patch Available

May 20, 2026

Updated: exploitAvailable, tags

May 21, 2026

Version History

Last enriched 5d ago

v3Tier B5d ago

Updated exploit availability to true, set patch available to null, and added new CVE tags.

exploitAvailabletags

via CERT-FR

v2Tier C6d ago

Updated affected versions to include 9.18.48 and 9.18.49-S0, changed severity to MEDIUM, marked as actively exploited, and noted no exploit available.

affectedVersionsseverityactivelyExploited

via VulDB

v16d ago

Initial creation