Skip to main content

ISC BIND 9 CVE-2026-5946

| EUVDEUVD-2026-31107 HIGH
Improper Input Validation (CWE-20)
2026-05-20 isc GHSA-cqgq-ff3f-rj7r
7.5
CVSS 3.1 · Vendor: isc
Share

Severity by source

Vendor (isc) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (isc).

CVSS VectorVendor: isc

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 20, 2026 - 13:32 vuln.today

DescriptionCVE.org

Multiple flaws have been identified in named related to the handling of DNS messages whose CLASS is not Internet (IN) - for example, CHAOS or HESIOD, or DNS messages that specify meta-classes (ANY or NONE) in the question section. Specially crafted requests reaching the affected code paths - recursion, dynamic updates (UPDATE), zone change notifications (NOTIFY), or processing of IN-specific record types in non-IN data - can cause assertion failures in named. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.

AnalysisAI

Remote denial of service in ISC BIND 9 named allows unauthenticated attackers to trigger assertion failures and crash the resolver by sending DNS messages with non-Internet classes (CHAOS, HESIOD) or meta-classes (ANY, NONE) through code paths involving recursion, dynamic UPDATE, NOTIFY, or IN-specific record processing in non-IN data. The flaw affects BIND 9.11.0 through 9.21.21 across both open-source and Supported Preview (S1) branches, with no public exploit identified at time of analysis. CVSS 7.5 reflects high availability impact with network-reachable, low-complexity, unauthenticated exploitation.

Technical ContextAI

BIND 9 is the most widely deployed DNS server implementation, maintained by ISC and used by recursive resolvers, authoritative nameservers, and DNS infrastructure operators worldwide. The vulnerability stems from CWE-20 (Improper Input Validation) in named's handling of DNS message CLASS fields - the DNS protocol defines multiple classes (IN for Internet, CH for CHAOS, HS for HESIOD) and meta-classes (ANY, NONE) used in queries; named's code paths for recursion, dynamic updates (RFC 2136), NOTIFY (RFC 1996), and record-type processing fail to properly validate when these non-IN or meta-class messages reach assertion-protected logic, resulting in process termination. The CPE cpe:2.3:a:isc:bind_9:*:*:*:*:*:*:*:* covers the entire BIND 9 product line, including the Subscription Edition (S1) branches used by ISC support customers.

RemediationAI

Vendor-released patches are available: upgrade open-source BIND 9 to 9.18.49 (https://downloads.isc.org/isc/bind9/9.18.49), 9.20.23 (https://downloads.isc.org/isc/bind9/9.20.23), or 9.21.22 (https://downloads.isc.org/isc/bind9/9.21.22), and Subscription Edition customers should obtain the corresponding S1 builds from ISC support. Note that the 9.11 and 9.16 branches are end-of-life with no patched open-source release listed - operators still running those branches should plan migration to 9.18.49 or later. Until patching is complete, compensating controls include restricting recursion to trusted clients via the allow-recursion ACL, limiting dynamic UPDATE sources via allow-update or update-policy (trade-off: breaks dynamic DNS clients outside the ACL), restricting NOTIFY sources via allow-notify to known authoritative peers (trade-off: zone transfer coordination must be re-validated), and considering an upstream DNS firewall or rate-limiting layer to drop malformed-class queries before they reach named. Refer to the ISC knowledge base advisory at https://kb.isc.org/docs/cve-2026-5946 for definitive guidance.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.5 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed

Share

CVE-2026-5946 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy