An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions. This issue affects BIND 9 versions 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, 9.18.36-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.

slackware SSA:2026-141-01: [slackware-security] bind (SSA:2026-141-01)

The remote Debian 12 / 13 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-6285 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-6285-1                   security@debian.org     https://www.debian.org/security/                       Moritz Muehlenhoff     May 20, 2026                          https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : bind9     CVE ID         : CVE-2026-3039 CVE-2026-3592 CVE-2026-5946                      CVE-2026-5950 CVE-2026-5947 CVE-2026-3593

    Several vulnerabilities were discovered in BIND, a DNS server     implementation, which may result in denial of service.

    For the oldstable distribution (bookworm), these problems have been fixed     in version 1:9.18.49-1~deb12u1.

    For the stable distribution (trixie), these problems have been fixed in     version 1:9.20.23-1~deb13u1.

    We recommend that you upgrade your bind9 packages.

    For the detailed security status of bind9 please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/bind9

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Debian Linux - bind9 - None (CVE-2026-5950)

Note that Nessus relies on the presence of the package as reported by the vendor.

The version of ISC BIND installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the cve-2026-5950 advisory.

  - Debian Linux - bind9 - None (CVE-2026-5950)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
315942	Debian dsa-6285 : bind9 - security update	Nessus	Debian Local Security Checks	high
315769	Linux Distros Unpatched Vulnerability : CVE-2026-5950	Nessus	Misc.	medium
315734	ISC BIND 9.18.36 < 9.18.49 / 9.18.36-S1 < 9.18.49-S1 / 9.20.8 < 9.20.23 / 9.20.9-S1 < 9.20.23-S1 / 9.21.7 < 9.21.22 Vulnerability (cve-2026-5950)	Nessus	DNS	medium

Detections

Analytics

CVE-2026-5950

medium

Tenable Plugins

Coming Soon

high

medium

medium