CVE-2026-5946

Summary

Multiple flaws have been identified in named related to the handling of DNS messages whose CLASS is not Internet (IN) — for example, CHAOS or HESIOD, or DNS messages that specify meta-classes (ANY or NONE) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (UPDATE), zone change notifications (NOTIFY), or processing of IN-specific record types in non-IN data — can cause assertion failures in named. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.

Affected Software

VendorProductVersion RangeStatus
ISCBIND 99.11.0 <= 9.16.50affected
ISCBIND 99.18.0 <= 9.18.48affected
ISCBIND 99.20.0 <= 9.20.22affected
ISCBIND 99.21.0 <= 9.21.21affected
ISCBIND 99.11.3-S1 <= 9.16.50-S1affected
ISCBIND 99.18.11-S1 <= 9.18.48-S1affected
ISCBIND 99.20.9-S1 <= 9.20.22-S1affected

Weaknesses

  • CWE-20: CWE-20 Improper Input Validation
  • CWE-125: CWE-125 Out-of-bounds Read
  • CWE-617: CWE-617 Reachable Assertion
  • CWE-754: CWE-754 Improper Check for Unusual or Exceptional Conditions
  • CWE-843: CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')

Workarounds

Don't configure zones other than Internet (IN) class. Furthermore, do not expose the server that allows DNS Dynamic Update to the general Internet.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

bind: BIND: Denial of Service via specially crafted DNS messages

Additional References

References