ISC disclosed CVE-2026-5947 on May 20, 2026. A race condition in BIND 9's handling of SIG(0)-signed DNS traffic during query floods can crash the server. The high‑severity flaw demands immediate attention from administrators running recursive or authoritative DNS services.

What is CVE-2026-5947?

CVE-2026-5947 is a vulnerability in BIND 9, the widely‑used open‑source DNS software developed by the Internet Systems Consortium (ISC). The flaw exists in the code that handles SIG(0) transactions when BIND is under heavy query load. SIG(0) is a mechanism defined in RFC 2931 that allows DNS clients and servers to authenticate transactions using public key cryptography. It is often used for dynamic DNS updates, zone transfers, and other sensitive operations where data integrity and origin authentication are critical.

When a BIND 9 server receives a flood of queries and simultaneously processes SIG(0)-signed traffic, a race condition can occur. In multi‑threaded or asynchronous code paths, the simultaneous access to a shared memory object—likely related to the SIG(0) validation context—is not properly serialized. This leads to a use‑after‑free condition, where memory is deallocated and then accessed again, causing the named process to crash. The result is an abrupt termination of the DNS service, leaving clients unable to resolve names.

Technical Deep‑Dive: The Race Condition

Modern BIND 9 is heavily multi‑threaded to handle thousands of queries per second. When a client sends a DNS query with a SIG(0) record, the server must:

  1. Parse the SIG(0) record from the additional section.
  2. Retrieve the corresponding public key from the local keyring or verify against a trusted key.
  3. Validate the signature over the DNS message.
  4. Respond appropriately—granting or denying the requested operation based on signature validity.

During a query flood, the server may allocate memory buffers for each SIG(0) context. The race condition arises when one thread finalizes the validation (potentially freeing the memory) while another thread still attempts to read or write to the same memory region. This is a classic time‑of‑check‑to‑time‑of‑use (TOCTOU) issue within the SIG(0) processing pipeline. ISC’s advisory indicates that the flaw can be triggered remotely by sending a crafted sequence of SIG(0)-signed queries amidst a high volume of ordinary queries. The attacker does not need to possess a valid key—merely sending malformed SIG(0) messages during a flood is sufficient to provoke the race.

Real‑World Impact: DNS Outages and Beyond

The primary impact is a denial of service (DoS). A crashed BIND server stops answering all DNS queries—both authoritative and recursive—until the process is restarted manually or by a monitoring script. For organizations that rely on a single BIND instance for internal or external DNS, this can mean a complete blackout of name resolution. Secondary effects cascade rapidly:

  • Email delivery fails as MX records become unresolvable.
  • Web services become unreachable by domain name.
  • Active Directory and Kerberos authentication may break if domain controllers depend on affected DNS servers.
  • Cloud and hybrid environments lose connectivity between on‑premises and cloud resources.

Because BIND powers a significant portion of the Internet’s DNS infrastructure—estimates range from 30% to 40% of all authoritative name servers—a widespread exploitation of CVE-2026-5947 could cause regional or even global disruption. While ISC rates the severity as high rather than critical, the ease of exploitation and the lack of workarounds make it a serious threat. An unauthenticated remote attacker can crash a server with minimal effort if they can generate a query flood.

Affected Versions and Patch Availability

ISC published the vulnerability alongside a coordinated release of patched BIND 9 versions. According to the disclosure, the following versions are affected:

  • All stable releases of BIND 9 up to and including 9.18.28
  • All stable releases of BIND 9 up to and including 9.20.4
  • Development and older branches may also be affected; ISC recommends upgrading even if not explicitly listed.

The fix is included in:

  • BIND 9.18.29
  • BIND 9.20.5

Administrators should upgrade immediately. For those unable to upgrade, ISC has not provided any runtime workaround (such as disabling SIG(0) via configuration). SIG(0) support is not easily disabled without recompilation, and even then, the race condition might still be reachable if the code path exists. The best course is to apply the patch.

Mitigation Strategies

While patching is the only complete fix, several temporary measures can reduce risk:

  • Rate limiting: Implement rate‑limit clauses in named.conf to throttle incoming queries per client IP or per zone. This can blunt the effect of a query flood, making it harder to trigger the race.
  • Recursion restriction: If the server is authoritative only, disable recursion entirely (recursion no;). Many SIG(0) queries are sent to recursive resolvers, so limiting recursion reduces attack surface.
  • Anycast deployment: Distributing DNS service across multiple anycast nodes means a crash on one node does not take down the whole service. Traffic will be rerouted to surviving instances.
  • Traffic filtering: At the network edge, drop DNS queries from unexpected or untrusted sources, especially if they contain SIG(0) records. This is a coarse‑grained defense but can buy time.
  • Process monitoring: Ensure that watchdog scripts or systemd/upstart services automatically restart BIND if it crashes. This reduces downtime to seconds rather than minutes.

Long‑term, organizations should reassess their DNS architecture. A single point of failure is always a risk. Using multiple DNS software implementations (e.g., BIND for authoritative, Unbound for recursive) can prevent a single CVE from causing a complete outage.

Windows DNS and BIND: Why It Matters

Windows Server itself does not run BIND; it includes its own DNS Server role. However, BIND is extremely common in mixed environments and as the underlying engine for many commercial DNS appliances. Moreover, Windows clients and servers often point to BIND‑based resolvers. If those BIND resolvers crash due to CVE-2026-5947, Windows machines will experience DNS failures—manifesting as “server not found” errors in browsers, failed Outlook connections, and broken VPNs.

Active Directory sites that rely on Unix‑based DNS servers (running BIND) for zone resolution will see replication and authentication problems. Even pure‑Windows shops frequently have BIND in the DMZ acting as an authoritative server for public domains. An outage there will make corporate websites and email unreachable from the Internet.

Security-conscious Windows administrators should:

  • Inventory all DNS servers, including appliances that may embed BIND (Infoblox, BlueCat, etc.).
  • Contact vendors for appliance‑specific patches.
  • Validate that forwarders and conditional forwarders do not point to unpatched BIND instances.
  • If running BIND on Windows via WSL or third‑party packages, treat those instances with the same urgency.

How to Check Your Exposure

To determine if you are running an affected version, execute:

named -v

On most Unix‑like systems, this returns the version string. Compare it against the fixed versions listed above. If you use a package manager, check the repository for updates:

# Debian/Ubuntu
apt list --installed | grep bind9

RHEL/CentOS

rpm -qa bind

For hard‑to‑patch environments (air‑gapped, legacy OS), network segmentation can limit the blast radius. Place BIND servers behind a firewall that drops DNS traffic from untrusted sources, and ensure only necessary servers can reach them.

The Broader Lesson: SIG(0) and DNS Complexity

SIG(0) is a powerful but rarely used feature. Many DNS operators do not even realize it is enabled by default in BIND. This vulnerability highlights the risk of code paths that are seldom exercised. The DNS protocol has accumulated decades of extensions—many of them optional and poorly tested under stress. Attackers often target these dusty corners because they escape routine scrutiny.

ISC is considering making SIG(0) support a compile‑time option in future BIND releases. For most deployments, dynamic updates are handled via TSIG (shared‑secret HMAC), which is simpler and more widely used. The DNS community may need a broader conversation about deprecating underused cryptographic features that add disproportionate attack surface.

What’s Next: Exploitation In the Wild?

As of June 2026, no public exploit code has been observed, but the vulnerability is trivial to trigger by anyone who understands the race. The announcement itself provides enough detail for skilled attackers to craft a working denial‑of‑service tool. I expect proof‑of‑concept code within days. DNS amplification botnets may add this to their arsenal, using SIG(0) floods to knock out resolvers that serve as amplifiers, thus poisoning the DNS ecosystem further.

Organizations that delay patching are effectively leaving their DNS infrastructure in a “crash on demand” state. The clock is ticking.

Conclusion: Patch Now and Harden Your DNS

CVE-2026-5947 is a textbook example of a high‑severity vulnerability that is simple to exploit and devastating in effect. BIND remains one of the internet’s most critical pieces of infrastructure, and its reliability is not optional. The ISC patch must be applied without delay. Beyond this single CVE, the event reinforces the need for defense‑in‑depth in DNS design: multiple resolvers, heterogeneous software, rate limiting, and aggressive monitoring. For Windows shops, the message is clear: your domain‑joined machines are only as reliable as the DNS servers they rely on—so make sure those servers are patched and resilient.