EUVD-2026-31107
GHSA-cqgq-ff3f-rj7r
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionNVD
Multiple flaws have been identified in named related to the handling of DNS messages whose CLASS is not Internet (IN) - for example, CHAOS or HESIOD, or DNS messages that specify meta-classes (ANY or NONE) in the question section. Specially crafted requests reaching the affected code paths - recursion, dynamic updates (UPDATE), zone change notifications (NOTIFY), or processing of IN-specific record types in non-IN data - can cause assertion failures in named. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.
AnalysisAI
Remote denial of service in ISC BIND 9 named allows unauthenticated attackers to trigger assertion failures and crash the resolver by sending DNS messages with non-Internet classes (CHAOS, HESIOD) or meta-classes (ANY, NONE) through code paths involving recursion, dynamic UPDATE, NOTIFY, or IN-specific record processing in non-IN data. The flaw affects BIND 9.11.0 through 9.21.21 across both open-source and Supported Preview (S1) branches, with no public exploit identified at time of analysis. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: inventory all systems running BIND 9 versions 9.11.0-9.21.21 and confirm exposure. Within 7 days: apply vendor-released patch to all affected BIND deployments and test DNS resolution in staging environments. …
Sign in for detailed remediation steps.
More from same product – last 7 days
Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today