CVE-2026-5950

MEDIUM

Unbounded resend loop in BIND 9 resolver

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-5950. PoCs published by billybaraja.

AI-analyzed exploit summary This repository provides a defensive version checker for CVE-2026-5950, a DoS vulnerability in BIND 9 resolvers. It includes a Python script to classify BIND versions against affected ranges and documentation for detection and remediation.

Description

An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions. This issue affects BIND 9 versions 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, 9.18.36-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.

Exploits (1)

nomisec SCANNER
by billybaraja · poc
https://github.com/billybaraja/cve-2026-5950-bind9-resolver-dos

This repository provides a defensive version checker for CVE-2026-5950, a DoS vulnerability in BIND 9 resolvers. It includes a Python script to classify BIND versions against affected ranges and documentation for detection and remediation.

Classification
Scanner 100%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: ISC BIND 9 (versions 9.18.36-9.18.48, 9.20.8-9.20.22, 9.21.7-9.21.21, and their -S1 variants)
No auth needed
Prerequisites: Access to the BIND version string (e.g., via `named -v`)
mistral-large-3 · analyzed Jun 14, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 5.3
EPSS 0.0055
EPSS Percentile 42.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-606
Status published
Products (6)
isc/bind 9.18.36 - 9.18.49
ISC/BIND 9 9.18.36 - 9.18.48
ISC/BIND 9 9.18.36-S1 - 9.18.48-S1
ISC/BIND 9 9.20.8 - 9.20.22
ISC/BIND 9 9.20.9-S1 - 9.20.22-S1
ISC/BIND 9 9.21.7 - 9.21.21
Published May 20, 2026
Tracked Since May 20, 2026