CVE-2026-5947

NameCVE-2026-5947
DescriptionUndefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the "recursive-clients" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
bind9 (PTS)bullseye1:9.16.50-1~deb11u2fixed
bullseye (security)1:9.16.50-1~deb11u5fixed
bookworm1:9.18.47-1~deb12u1fixed
bookworm (security)1:9.18.49-1~deb12u1fixed
trixie1:9.20.21-1~deb13u1vulnerable
trixie (security)1:9.20.23-1~deb13u1fixed
forky1:9.20.22-1vulnerable
sid1:9.20.23-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
bind9sourcebullseye(not affected)
bind9sourcebookworm(not affected)
bind9sourcetrixie1:9.20.23-1~deb13u1
bind9source(unstable)1:9.20.23-1

Notes

[bookworm] - bind9 <not-affected> (Only affects Bind 9.20)
[bullseye] - bind9 <not-affected> (Only affects Bind 9.20)
https://kb.isc.org/docs/cve-2026-5947
Search for package or bug name: Reporting problems