CVE-2026-5946: CWE-20 Improper Input Validation in ISC BIND 9
Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.
AI Analysis
Technical Summary
Multiple flaws in ISC BIND 9's 'named' daemon relate to improper input validation of DNS messages whose CLASS field is not Internet (IN), such as CHAOS, HESIOD, or meta-classes like ANY or NONE. These flaws manifest during processing of recursion, dynamic updates, zone change notifications, or IN-specific record types in non-IN data, causing assertion failures. Affected versions include 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and their S1 variants. The CVSS 3.1 score is 7.5 (high), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality or integrity impact, but high availability impact. ISC provides a patch and manages remediation for this cloud-hosted service.
Potential Impact
Exploitation of this vulnerability can cause assertion failures in the 'named' daemon, leading to denial of service conditions. There is no impact on confidentiality or integrity according to the CVSS vector. No known exploits are currently reported in the wild.
Mitigation Recommendations
A patch is available from ISC for affected BIND 9 versions. Since BIND 9 is offered as a cloud service, ISC manages remediation server-side. Users should consult the ISC advisory for patch application details and ensure their BIND 9 deployments are updated to fixed versions to prevent denial of service.
CVE-2026-5946: CWE-20 Improper Input Validation in ISC BIND 9
Description
Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Multiple flaws in ISC BIND 9's 'named' daemon relate to improper input validation of DNS messages whose CLASS field is not Internet (IN), such as CHAOS, HESIOD, or meta-classes like ANY or NONE. These flaws manifest during processing of recursion, dynamic updates, zone change notifications, or IN-specific record types in non-IN data, causing assertion failures. Affected versions include 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and their S1 variants. The CVSS 3.1 score is 7.5 (high), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality or integrity impact, but high availability impact. ISC provides a patch and manages remediation for this cloud-hosted service.
Potential Impact
Exploitation of this vulnerability can cause assertion failures in the 'named' daemon, leading to denial of service conditions. There is no impact on confidentiality or integrity according to the CVSS vector. No known exploits are currently reported in the wild.
Mitigation Recommendations
A patch is available from ISC for affected BIND 9 versions. Since BIND 9 is offered as a cloud service, ISC manages remediation server-side. Users should consult the ISC advisory for patch application details and ensure their BIND 9 deployments are updated to fixed versions to prevent denial of service.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- isc
- Date Reserved
- 2026-04-09T06:40:07.319Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 6a0db4dcba1db473627ecd84
Added to database: 5/20/2026, 1:19:24 PM
Last enriched: 5/20/2026, 1:33:55 PM
Last updated: 5/21/2026, 3:47:31 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.