CVE-2026-5950 PUBLISHED

Unbounded resend loop in BIND 9 resolver

Assigner: isc
Reserved: 09.04.2026 Published: 20.05.2026 Updated: 20.05.2026

An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions. This issue affects BIND 9 versions 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, 9.18.36-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS Score: 5.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	ISC
Product	BIND 9
Versions	Default: unaffected affected from 9.18.36 to 9.18.48 (incl.) affected from 9.20.8 to 9.20.22 (incl.) affected from 9.21.7 to 9.21.21 (incl.) affected from 9.18.36-S1 to 9.18.48-S1 (incl.) affected from 9.20.9-S1 to 9.20.22-S1 (incl.)

Exploits

We are not aware of any active exploits.

Workarounds

No workarounds known.

Solutions

Upgrade to the patched release most closely related to your current version of BIND 9: 9.18.49, 9.20.23, 9.21.22, 9.18.49-S1, or 9.20.23-S1.

Credits

ISC would like to thank Billy Baraja (BielraX) for bringing this vulnerability to our attention.