CVE-2026-5946 PUBLISHED

Multiple flaws have been identified in named related to the handling of DNS messages whose CLASS is not Internet (IN) — for example, CHAOS or HESIOD, or DNS messages that specify meta-classes (ANY or NONE) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (UPDATE), zone change notifications (NOTIFY), or processing of IN-specific record types in non-IN data — can cause assertion failures in named. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.

We are not aware of any active exploits.

Don't configure zones other than Internet (IN) class. Furthermore, do not expose the server that allows DNS Dynamic Update to the general Internet.

Upgrade to the patched release most closely related to your current version of BIND 9: 9.18.49, 9.20.23, 9.21.22, 9.18.49-S1, or 9.20.23-S1.

• ISC would like to thank Mcsky23 for bringing this vulnerability to our attention.

• CVE-2026-5946
• https://downloads.isc.org/isc/bind9/9.18.49
• https://downloads.isc.org/isc/bind9/9.20.23
• https://downloads.isc.org/isc/bind9/9.21.22

• CWE-20 Improper Input Validation CWE
• CWE-125 Out-of-bounds Read CWE
• CWE-617 Reachable Assertion CWE
• CWE-754 Improper Check for Unusual or Exceptional Conditions CWE
• CWE-843 Access of Resource Using Incompatible Type ('Type Confusion') CWE

• An attacker able to send specially crafted DNS messages to an affected `named` instance can cause it to terminate unexpectedly, resulting in a denial of service.