- bind
- dns
- dos
- cve
- isc
news
BIND 9 Resolver Unbounded Loop DoS (CVE-2026-5950)
Unchecked resend loop in BIND 9 bad-server handling enables remote resource exhaustion; defensive notes indexed on Sploitus.
Summary
CVE-2026-5950 is an unbounded resend loop in the BIND 9 recursive resolver state machine during bad-server handling. Remote unauthenticated attackers can trigger retry conditions that cause severe CPU, memory, and network exhaustion. Sploitus featured it in Exploits of the week as Exploit for Unchecked Input for Loop Condition in Isc Bind. Researcher Billy Baraja (BielraX) published defensive analysis indexed alongside the advisory; ISC credits him for discovery.
OFFSITE.DARK cites Sploitus as index source. The indexed GitHub repository explicitly avoids publishing attack payloads.
Technical Details
When BIND's resolver marks an upstream authoritative server as "bad" during query processing, it enters a retry path to alternate nameservers. Under specific conditions, the state machine fails to bound the resend sequence — the resolver keeps issuing outbound queries until global query timeout rather than converging.
| Aspect | Detail |
|---|---|
| Component | BIND 9 recursive resolver (named) |
| CWE | CWE-606 — Unchecked Input for Loop Condition |
| Auth | None required |
| Scope | Recursive resolvers affected; authoritative-only believed unaffected |
| Trigger | Crafted recursive queries inducing bad-server retry branch |
| Branch | Affected | Fixed |
|---|---|---|
| 9.18.x | 9.18.36 – 9.18.48 | 9.18.49 |
| 9.20.x | 9.20.8 – 9.20.22 | 9.20.23 |
| 9.21.x | 9.21.7 – 9.21.21 | 9.21.22 |
| 9.18-S1 | 9.18.36-S1 – 9.18.48-S1 | 9.18.49-S1 |
| 9.20-S1 | 9.20.9-S1 – 9.20.22-S1 | 9.20.23-S1 |
CVSS 3.1: 5.3 Medium — AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (availability impact; ISC notes operational severity can exceed base score under load).
CVE
| Field | Value |
|---|---|
| CVE | CVE-2026-5950 |
| Vendor advisory | ISC KB CVE-2026-5950 |
| Published | 2026-05-20 |
| Active exploits (ISC) | None reported at disclosure |
| Defensive notes | billybaraja/cve-2026-5950-bind9-resolver-dos |
Impact
Degraded or failed DNS resolution for all clients depending on the affected recursive resolver — intermittent timeouts, elevated latency, and potential denial of service at the resolver host. Open resolvers and internal corporate DNS forwarders exposed to untrusted clients face the highest risk. Downstream applications fail unpredictably when DNS stalls.
Mitigation
- Upgrade to 9.18.49, 9.20.23, or 9.21.22 (or matching -S1 builds) — no known workarounds per ISC.
- Restrict recursive queries to authorized clients (
allow-recursionACLs); disable open recursion on internet-facing resolvers. - Rate-limit inbound DNS queries at network edge during incident response.
- Monitor resolver CPU, outbound query rates, and
namedworker saturation for anomalous retry storms. - Confirm whether "authoritative-only" servers perform incidental recursion (ISC guidance).
Sources
- Sploitus search — CVE-2026-5950 (weekly index reference)
- ISC advisory — CVE-2026-5950
- Defensive research — Billy Baraja