{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/bind-9-9.20.0---9.20.22/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-5947"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["BIND 9 (9.20.0 - 9.20.22)","BIND 9 (9.21.0 - 9.21.21)","BIND 9 (9.20.9-S1 - 9.20.22-S1)"],"_cs_severities":["high"],"_cs_tags":["cve","dns","use-after-free","denial-of-service"],"_cs_type":"advisory","_cs_vendors":["ISC"],"content_html":"\u003cp\u003eA use-after-free vulnerability, tracked as CVE-2026-5947, exists in ISC BIND. Specifically, when BIND receives an incoming DNS message signed with SIG(0), it validates that signature. If the number of \u0026ldquo;recursive-clients\u0026rdquo; reaches the configured limit during this validation process due to a query flood, the DNS message may be discarded. However, a small window of time exists where the SIG(0) validation process might still attempt to read the now-discarded DNS message, leading to a use-after-free condition and undefined behavior. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are not affected.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker sends a DNS query flood to a BIND server to exhaust the \u003ccode\u003erecursive-clients\u003c/code\u003e limit.\u003c/li\u003e\n\u003cli\u003eSimultaneously, the attacker sends a crafted DNS message signed with SIG(0).\u003c/li\u003e\n\u003cli\u003eThe BIND server receives the crafted DNS message and begins SIG(0) signature validation.\u003c/li\u003e\n\u003cli\u003eWhile the signature validation is in progress, the \u003ccode\u003erecursive-clients\u003c/code\u003e limit is reached due to the query flood.\u003c/li\u003e\n\u003cli\u003eThe BIND server discards the DNS message to enforce the \u003ccode\u003erecursive-clients\u003c/code\u003e limit.\u003c/li\u003e\n\u003cli\u003eThe SIG(0) validation routine attempts to read the discarded DNS message.\u003c/li\u003e\n\u003cli\u003eA use-after-free vulnerability is triggered because the memory associated with the DNS message has been freed.\u003c/li\u003e\n\u003cli\u003eThis can lead to undefined behavior, potentially causing the BIND server to crash or, in more severe cases, allow for remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5947 can cause a denial-of-service (DoS) condition on the affected BIND server, disrupting DNS resolution services. In a worst-case scenario, it could lead to remote code execution, potentially allowing an attacker to gain control of the server. Given the critical role of DNS servers in network infrastructure, this vulnerability poses a significant risk. While no specific victim counts are available, the widespread use of BIND makes many organizations vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of BIND 9 to address CVE-2026-5947. Versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are not affected.\u003c/li\u003e\n\u003cli\u003eMonitor DNS server logs for errors related to SIG(0) validation, which may indicate exploitation attempts. Deploy the Sigma rule \u003ccode\u003eDetect SIG(0) validation failure\u003c/code\u003e to detect these events.\u003c/li\u003e\n\u003cli\u003eRate limit incoming DNS queries to prevent query floods and reduce the likelihood of triggering the \u003ccode\u003erecursive-clients\u003c/code\u003e limit and the race condition.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-20T13:20:01Z","date_published":"2026-05-20T13:20:01Z","id":"https://feed.craftedsignal.io/briefs/2026-05-isc-bind-uaf/","summary":"A race condition in ISC BIND can lead to a use-after-free vulnerability (CVE-2026-5947) when handling SIG(0) signed DNS messages, potentially leading to undefined behavior.","title":"ISC BIND Use-After-Free Vulnerability Due to Race Condition (CVE-2026-5947)","url":"https://feed.craftedsignal.io/briefs/2026-05-isc-bind-uaf/"}],"language":"en","title":"CraftedSignal Threat Feed — BIND 9 (9.20.0 - 9.20.22)","version":"https://jsonfeed.org/version/1.1"}