Vulnerability Details CVE-2026-5950
An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions.
This issue affects BIND 9 versions 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, 9.18.36-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 34.4%
CVSS Severity
CVSS v3 Score 5.3
References
Products affected by CVE-2026-5950
-
cpe:2.3:a:isc:bind:9.18.36
-
cpe:2.3:a:isc:bind:9.18.37
-
cpe:2.3:a:isc:bind:9.18.38
-
cpe:2.3:a:isc:bind:9.18.39
-
cpe:2.3:a:isc:bind:9.18.41
-
cpe:2.3:a:isc:bind:9.18.42
-
cpe:2.3:a:isc:bind:9.18.43
-
cpe:2.3:a:isc:bind:9.18.44
-
cpe:2.3:a:isc:bind:9.18.45
-
cpe:2.3:a:isc:bind:9.18.46
-
cpe:2.3:a:isc:bind:9.18.47
-
cpe:2.3:a:isc:bind:9.18.48
-
cpe:2.3:a:isc:bind:9.20.10
-
cpe:2.3:a:isc:bind:9.20.11
-
cpe:2.3:a:isc:bind:9.20.12
-
cpe:2.3:a:isc:bind:9.20.13
-
cpe:2.3:a:isc:bind:9.20.15
-
cpe:2.3:a:isc:bind:9.20.16
-
cpe:2.3:a:isc:bind:9.20.17
-
cpe:2.3:a:isc:bind:9.20.18
-
cpe:2.3:a:isc:bind:9.20.19
-
cpe:2.3:a:isc:bind:9.20.20
-
cpe:2.3:a:isc:bind:9.20.21
-
cpe:2.3:a:isc:bind:9.20.22
-
cpe:2.3:a:isc:bind:9.20.8
-
cpe:2.3:a:isc:bind:9.20.9
-
cpe:2.3:a:isc:bind:9.21.10
-
cpe:2.3:a:isc:bind:9.21.11
-
cpe:2.3:a:isc:bind:9.21.12
-
cpe:2.3:a:isc:bind:9.21.14
-
cpe:2.3:a:isc:bind:9.21.15
-
cpe:2.3:a:isc:bind:9.21.16
-
cpe:2.3:a:isc:bind:9.21.17
-
cpe:2.3:a:isc:bind:9.21.18
-
cpe:2.3:a:isc:bind:9.21.19
-
cpe:2.3:a:isc:bind:9.21.20
-
cpe:2.3:a:isc:bind:9.21.7
-
cpe:2.3:a:isc:bind:9.21.8
-
cpe:2.3:a:isc:bind:9.21.9