CVE-2026-5946
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Multiple flaws have been identified in named related to the handling of DNS messages whose CLASS is not Internet (IN) — for example, CHAOS or HESIOD, or DNS messages that specify meta-classes (ANY or NONE) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (UPDATE), zone change notifications (NOTIFY), or processing of IN-specific record types in non-IN data — can cause assertion failures in named.
This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| ISC | BIND 9 | 9.11.0 <= 9.16.50 | affected |
| ISC | BIND 9 | 9.18.0 <= 9.18.48 | affected |
| ISC | BIND 9 | 9.20.0 <= 9.20.22 | affected |
| ISC | BIND 9 | 9.21.0 <= 9.21.21 | affected |
| ISC | BIND 9 | 9.11.3-S1 <= 9.16.50-S1 | affected |
| ISC | BIND 9 | 9.18.11-S1 <= 9.18.48-S1 | affected |
| ISC | BIND 9 | 9.20.9-S1 <= 9.20.22-S1 | affected |
Weaknesses
- CWE-20: CWE-20 Improper Input Validation
- CWE-125: CWE-125 Out-of-bounds Read
- CWE-617: CWE-617 Reachable Assertion
- CWE-754: CWE-754 Improper Check for Unusual or Exceptional Conditions
- CWE-843: CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')
Workarounds
Don't configure zones other than Internet (IN) class. Furthermore, do not expose the server that allows DNS Dynamic Update to the general Internet.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
bind: BIND: Denial of Service via specially crafted DNS messages
Additional References
- https://access.redhat.com/security/cve/CVE-2026-5946
- https://bugzilla.redhat.com/show_bug.cgi?id=2479771
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-5946.json
- https://access.redhat.com/errata/RHSA-2026:24338
- https://access.redhat.com/errata/RHSA-2026:24339
- https://access.redhat.com/errata/RHSA-2026:23360
- https://access.redhat.com/errata/RHSA-2026:24367
- https://access.redhat.com/errata/RHSA-2026:24368
- https://access.redhat.com/errata/RHSA-2026:20334
References
- https://kb.isc.org/docs/cve-2026-5946
- https://downloads.isc.org/isc/bind9/9.18.49
- https://downloads.isc.org/isc/bind9/9.20.23
- https://downloads.isc.org/isc/bind9/9.21.22
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.