CVE-2026-5947

Name of the Vulnerable Software and Affected Versions BIND 9 versions 9.20.0 through 9.20.22 BIND 9 versions 9.21.0 through 9.21.21 BIND 9 versions 9.20.9-S1 through 9.20.22-S1

Description A race condition occurs when BIND receives an incoming DNS message signed with SIG(0). While validating the signature, if the recursive-clients limit is reached (such as during a query flood) and the message is discarded, a use-after-free violation may occur. This happens because the SIG(0) validation process may attempt to read the DNS message after it has been discarded, leading to undefined behavior. Use-after-free is a scenario where a program continues to use a pointer after it has been freed, which can lead to crashes or unpredictable execution.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.