Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-5946
PUBLISHED
More InfoOfficial Page
Assigner-isc
Assigner Org ID-404fd4d2-a609-4245-b543-2c944a302a22
View Known Exploited Vulnerability (KEV) details
Published At-20 May, 2026 | 13:10
Updated At-20 May, 2026 | 13:40
Rejected At-
▼CVE Numbering Authority (CNA)
Invalid handling of CLASS != IN

Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.

Affected Products
Vendor
Internet Systems Consortium, Inc.ISC
Product
BIND 9
Default Status
unaffected
Versions
Affected
  • From 9.11.0 through 9.16.50 (custom)
  • From 9.18.0 through 9.18.48 (custom)
  • From 9.20.0 through 9.20.22 (custom)
  • From 9.21.0 through 9.21.21 (custom)
  • From 9.11.3-S1 through 9.16.50-S1 (custom)
  • From 9.18.11-S1 through 9.18.48-S1 (custom)
  • From 9.20.9-S1 through 9.20.22-S1 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-20CWE-20 Improper Input Validation
CWECWE-125CWE-125 Out-of-bounds Read
CWECWE-617CWE-617 Reachable Assertion
CWECWE-754CWE-754 Improper Check for Unusual or Exceptional Conditions
CWECWE-843CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')
Type: CWE
CWE ID: CWE-20
Description: CWE-20 Improper Input Validation
Type: CWE
CWE ID: CWE-125
Description: CWE-125 Out-of-bounds Read
Type: CWE
CWE ID: CWE-617
Description: CWE-617 Reachable Assertion
Type: CWE
CWE ID: CWE-754
Description: CWE-754 Improper Check for Unusual or Exceptional Conditions
Type: CWE
CWE ID: CWE-843
Description: CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')
Metrics
VersionBase scoreBase severityVector
3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
N/AAn attacker able to send specially crafted DNS messages to an affected `named` instance can cause it to terminate unexpectedly, resulting in a denial of service.
CAPEC ID: N/A
Description: An attacker able to send specially crafted DNS messages to an affected `named` instance can cause it to terminate unexpectedly, resulting in a denial of service.
Solutions

Upgrade to the patched release most closely related to your current version of BIND 9: 9.18.49, 9.20.23, 9.21.22, 9.18.49-S1, or 9.20.23-S1.

Configurations
Workarounds

Don't configure zones other than Internet (`IN`) class. Furthermore, do not expose the server that allows DNS Dynamic Update to the general Internet.

Exploits

We are not aware of any active exploits.

Credits
ISC would like to thank Mcsky23 for bringing this vulnerability to our attention.
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://kb.isc.org/docs/cve-2026-5946
vendor-advisory
https://downloads.isc.org/isc/bind9/9.18.49
patch
https://downloads.isc.org/isc/bind9/9.20.23
patch
https://downloads.isc.org/isc/bind9/9.21.22
patch
Hyperlink: https://kb.isc.org/docs/cve-2026-5946
Resource:
vendor-advisory
Hyperlink: https://downloads.isc.org/isc/bind9/9.18.49
Resource:
patch
Hyperlink: https://downloads.isc.org/isc/bind9/9.20.23
Resource:
patch
Hyperlink: https://downloads.isc.org/isc/bind9/9.21.22
Resource:
patch
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found