VYPR
← All advisories
High severity7.5NVD Advisory· Published May 20, 2026· Updated May 20, 2026

CVE-2026-5946

CVE-2026-5946

Description

Multiple flaws have been identified in named related to the handling of DNS messages whose CLASS is not Internet (IN) — for example, CHAOS or HESIOD, or DNS messages that specify meta-classes (ANY or NONE) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (UPDATE), zone change notifications (NOTIFY), or processing of IN-specific record types in non-IN data — can cause assertion failures in named. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

BIND 9 fails to properly handle DNS messages with non-IN classes, allowing remote attackers to trigger assertion failures and cause denial of service.

Vulnerability

Multiple flaws in named affect handling of DNS messages whose CLASS is not Internet (IN), such as CHAOS, HESIOD, or meta-classes ANY/NONE. Specially crafted requests reaching recursion, dynamic updates (UPDATE), zone change notifications (NOTIFY), or processing of IN-specific record types in non-IN data can cause assertion failures. Affected versions: BIND 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and corresponding Supported Preview Edition versions [1].

Exploitation

An attacker can send specially crafted DNS messages to an affected named instance without authentication or user interaction. The messages must reach one of the vulnerable code paths (recursion, dynamic update, NOTIFY, or processing of IN-specific records in non-IN data). No special network position is required beyond the ability to send DNS queries to the target server [1].

Impact

Successful exploitation causes named to terminate unexpectedly due to an assertion failure, resulting in a denial of service (DoS). The vulnerability does not lead to information disclosure, privilege escalation, or remote code execution. Both authoritative servers and resolvers are affected [1].

Mitigation

Upgrade to patched releases: BIND 9.18.49, 9.20.23, or 9.21.22 (and corresponding Supported Preview Edition versions 9.18.49-S1, 9.20.23-S1) [1][2][3][4]. As a workaround, do not configure zones other than Internet (IN) class, and avoid exposing servers that allow DNS Dynamic Update to the general Internet [1]. No active exploits are known [1].

References
  1. CVE-2026-5946: Invalid handling of CLASS != IN
  2. Index of /isc/bind9/9.20.23
  3. Index of /isc/bind9/9.21.22
  4. Index of /isc/bind9/9.18.49

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Isc Projects/Bind9inferred
    Range: >=9.11.0,<=9.16.50||>=9.18.0,<=9.18.48||>=9.20.0,<=9.20.22||>=9.21.0,<=9.21.21||>=9.11.3,<=9.16.50-S1||>=9.18.11-S1,<=9.18.48-S1||>=9.20.9-S1,<=9.20.22-S1
  • Isc/Bindllm-fuzzy
    Range: 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, 9.20.9-S1 through 9.20.22-S1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.