← back
CVE-2026-5950

Unbounded resend loop in BIND 9 resolver

CVSS 5.3 MEDIUMEPSS 0.6%CWE-606
An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions. This issue affects BIND 9 versions 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, 9.18.36-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Affected products
ISC · BIND 9
public PoCs found1
githubgithub.com/billybaraja/cve-2026-5950-bind9-resolver-dos1
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://downloads.isc.org/isc/bind9/9.18.49https://downloads.isc.org/isc/bind9/9.20.23https://downloads.isc.org/isc/bind9/9.21.22https://kb.isc.org/docs/cve-2026-5950