CVE-2026-5946
Undergoing Analysis Undergoing Analysis - In Progress
Denial of Service in BIND named

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: Internet Systems Consortium (ISC)

Description
Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) β€” for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths β€” recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data β€” can cause assertion failures in `named`. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-05-20
AI Q&A
2026-05-20
EPSS Evaluated
N/A
NVD
CVE-2026-5946
EUVD
EUVD-2026-31107
Affected Vendors & Products
Showing 15 associated CPEs
Vendor Product Version / Range
isc bind 9.11.0
isc bind 9.11.3-s1
isc bind 9.16.50
isc bind 9.16.50-s1
isc bind 9.18.0
isc bind 9.18.11-s1
isc bind 9.20.0
isc bind 9.20.9-s1
isc bind 9.21.0
isc bind 9.21.21
isc bind 9.18.48
isc bind 9.20.22
isc bind 9.21.22
isc bind 9.18.49
isc bind 9.20.23
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-843 The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
CWE-754 The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.


Can you explain this vulnerability to me?

CVE-2026-5946 is a high-severity vulnerability in multiple versions of BIND 9 related to how the DNS service 'named' handles DNS messages with a CLASS field other than Internet (IN), such as CHAOS, HESIOD, or meta-classes like ANY or NONE.

Specially crafted DNS requests using these non-IN classes can trigger assertion failures in the named service, causing it to terminate unexpectedly.

This affects both authoritative DNS servers and resolvers running affected versions of BIND 9.


How can this vulnerability impact me? :

The vulnerability can be exploited remotely by attackers sending specially crafted DNS requests, leading to assertion failures that cause the named service to crash.

This results in a denial of service (DoS), disrupting DNS resolution or authoritative DNS services.

Such disruption can affect network availability and reliability for users and services depending on the affected DNS servers.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves specially crafted DNS requests with CLASS fields other than Internet (IN), such as CHAOS, HESIOD, or meta-classes like ANY or NONE, which cause assertion failures in the named service.

Detection can involve monitoring DNS traffic for unusual or non-IN class queries and requests, especially those using CHAOS, HESIOD, ANY, or NONE classes.

Commands to detect such traffic might include using packet capture tools like tcpdump or tshark to filter DNS queries with non-IN classes.

  • tcpdump -i <interface> -n port 53 and 'udp[10] & 0x7f != 1' # This filters DNS queries where the CLASS field is not IN (1)
  • tshark -i <interface> -Y 'dns.qry.class != 1' # Displays DNS queries with classes other than IN

Additionally, reviewing named logs for assertion failures or unexpected terminations can help detect exploitation attempts.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include avoiding the use of non-IN class zones and restricting access to DNS Dynamic Update functionality.

Administrators should upgrade affected BIND 9 versions to the patched releases: 9.18.49, 9.20.23, 9.21.22, or their respective preview editions.

Until upgrades can be applied, restricting or filtering DNS traffic that contains non-IN class queries can reduce exposure.

Monitoring and logging should be enhanced to detect any attempts to exploit this vulnerability.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart