CVE-2026-5947 ISC CVE debrief

Who should care

Operators and administrators running affected BIND 9 DNS servers, especially systems that may be exposed to query floods or other high-load conditions. Security teams should also care because the flaw is reachable over the network and primarily impacts availability.

Technical summary

NVD lists the issue as CVSS 3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The described condition involves SIG(0) validation work that can outlive the DNS message object when recursive-clients exhaustion causes the message to be dropped. ISC classifies the weaknesses as CWE-362 (race condition) and CWE-416 (use-after-free). The referenced fixed releases are 9.20.23 and 9.21.22.

Defensive priority

High. The vulnerability is network-reachable, requires no privileges or user interaction, and can cause service interruption. Prioritize patching affected BIND 9 deployments.

Recommended defensive actions

• Upgrade affected BIND 9 installations to a fixed release: 9.20.23 or 9.21.22, as applicable to your branch.
• Confirm whether any deployed instances are on affected versions 9.20.0-9.20.22, 9.21.0-9.21.21, 9.20.9-S1-9.20.22-S1.
• Verify that instances on 9.18.28-9.18.49 or 9.18.28-S1-9.18.49-S1 are on an unaffected branch.
• Review ISC’s advisory for CVE-2026-5947 for any vendor guidance tied to your deployment.
• If immediate patching is not possible, closely monitor affected servers for high query load or resource exhaustion conditions and reduce exposure where feasible.

Evidence notes

All factual claims are based on the NVD record and ISC-linked references supplied in the source corpus. The CVE was published and last modified on 2026-05-20, and NVD marks the vulnerability status as "Undergoing Analysis". The source references point to ISC downloads for 9.20.23 and 9.21.22 and to the ISC knowledge base advisory for CVE-2026-5947.

Official resources