CVE-2026-5947: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in ISC BIND 9
Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the "recursive-clients" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected.
AI Analysis
Technical Summary
This vulnerability involves a race condition in ISC BIND 9 DNS server software when handling SIG(0)-signed DNS messages. If the recursive-clients limit is reached during signature validation, the DNS message may be discarded while still being accessed, causing a use-after-free condition. This affects multiple BIND 9 versions starting from 9.20.0 up to 9.21.21 and certain 9.20-S1 builds. The issue can cause undefined behavior, primarily impacting service availability. ISC has published the vulnerability but has not yet provided an official fix or remediation. The vulnerability is tracked as CVE-2026-5947 with a high CVSS score of 7.5.
Potential Impact
The vulnerability can cause a use-after-free condition leading to undefined behavior, which may result in denial of service or instability of the BIND 9 DNS server. There is no indication of confidentiality or integrity impact. No known exploits are currently reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the ISC vendor advisory for current remediation guidance. Until an official fix is released, consider monitoring recursive client limits and controlling query flood conditions to reduce exposure. No vendor-provided mitigation or temporary fix is currently documented.
CVE-2026-5947: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in ISC BIND 9
Description
Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the "recursive-clients" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability involves a race condition in ISC BIND 9 DNS server software when handling SIG(0)-signed DNS messages. If the recursive-clients limit is reached during signature validation, the DNS message may be discarded while still being accessed, causing a use-after-free condition. This affects multiple BIND 9 versions starting from 9.20.0 up to 9.21.21 and certain 9.20-S1 builds. The issue can cause undefined behavior, primarily impacting service availability. ISC has published the vulnerability but has not yet provided an official fix or remediation. The vulnerability is tracked as CVE-2026-5947 with a high CVSS score of 7.5.
Potential Impact
The vulnerability can cause a use-after-free condition leading to undefined behavior, which may result in denial of service or instability of the BIND 9 DNS server. There is no indication of confidentiality or integrity impact. No known exploits are currently reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the ISC vendor advisory for current remediation guidance. Until an official fix is released, consider monitoring recursive client limits and controlling query flood conditions to reduce exposure. No vendor-provided mitigation or temporary fix is currently documented.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- isc
- Date Reserved
- 2026-04-09T06:40:58.672Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0db4dcba1db473627ecd8a
Added to database: 5/20/2026, 1:19:24 PM
Last enriched: 5/20/2026, 1:33:44 PM
Last updated: 5/21/2026, 1:14:32 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.