CVE-2026-5946
Analyzed Analyzed - Analysis Complete
Denial of Service in BIND named

Publication date: 2026-05-20

Last updated on: 2026-05-21

Assigner: Internet Systems Consortium (ISC)

Description
Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) β€” for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths β€” recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data β€” can cause assertion failures in `named`. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-21
Generated
2026-06-10
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-5946
EUVD
EUVD-2026-31107
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
isc bind From 9.20.0 (inc) to 9.20.23 (exc)
isc bind From 9.21.0 (inc) to 9.21.22 (exc)
isc bind From 9.11.0 (inc) to 9.16.50 (inc)
isc bind From 9.18.0 (inc) to 9.18.49 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
CWE-843 The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.
CWE-754 The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5946 is a high-severity vulnerability in multiple versions of BIND 9 related to how the DNS service 'named' handles DNS messages with a CLASS field other than Internet (IN), such as CHAOS, HESIOD, or meta-classes like ANY or NONE.

Specially crafted DNS requests using these non-IN classes can trigger assertion failures in the named service, causing it to terminate unexpectedly.

This affects both authoritative DNS servers and resolvers running affected versions of BIND 9.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

The vulnerability can be exploited remotely by attackers sending specially crafted DNS requests, leading to assertion failures that cause the named service to crash.

This results in a denial of service (DoS), disrupting DNS resolution or authoritative DNS services.

Such disruption can affect network availability and reliability for users and services depending on the affected DNS servers.

Detection Guidance

This vulnerability involves specially crafted DNS requests with CLASS fields other than Internet (IN), such as CHAOS, HESIOD, or meta-classes like ANY or NONE, which cause assertion failures in the named service.

Detection can involve monitoring DNS traffic for unusual or non-IN class queries and requests, especially those using CHAOS, HESIOD, ANY, or NONE classes.

Commands to detect such traffic might include using packet capture tools like tcpdump or tshark to filter DNS queries with non-IN classes.

  • tcpdump -i <interface> -n port 53 and 'udp[10] & 0x7f != 1' # This filters DNS queries where the CLASS field is not IN (1)
  • tshark -i <interface> -Y 'dns.qry.class != 1' # Displays DNS queries with classes other than IN

Additionally, reviewing named logs for assertion failures or unexpected terminations can help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include avoiding the use of non-IN class zones and restricting access to DNS Dynamic Update functionality.

Administrators should upgrade affected BIND 9 versions to the patched releases: 9.18.49, 9.20.23, 9.21.22, or their respective preview editions.

Until upgrades can be applied, restricting or filtering DNS traffic that contains non-IN class queries can reduce exposure.

Monitoring and logging should be enhanced to detect any attempts to exploit this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5946. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart