Skip to main content
CVE Vulnerability Database

CVE-2026-5946: BIND 9 DNS Denial of Service Vulnerability

CVE-2026-5946 is a denial of service vulnerability in BIND 9 DNS server caused by improper handling of non-IN class DNS messages. This post explains its impact, affected versions, and mitigation steps.

Published:

CVE-2026-5946 Overview

CVE-2026-5946 is a denial-of-service vulnerability in ISC BIND 9 named affecting how the resolver processes DNS messages whose CLASS field is not Internet (IN). Specially crafted requests using CHAOS, HESIOD, or meta-classes (ANY, NONE) in the question section can trigger assertion failures in named. The flaw reaches affected code paths through recursion, dynamic updates (UPDATE), zone change notifications (NOTIFY), or processing of IN-specific record types embedded in non-IN data. Successful exploitation crashes the DNS service, disrupting name resolution for all dependent clients. The issue is categorized under [CWE-20] Improper Input Validation.

Critical Impact

A remote, unauthenticated attacker can send crafted DNS messages over the network to crash named, producing a sustained denial of service against affected BIND 9 deployments.

Affected Products

  • ISC BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, and 9.21.0 through 9.21.21
  • ISC BIND 9 Supported Preview Edition 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1
  • Authoritative and recursive named resolvers accepting non-IN class queries, dynamic updates, or NOTIFY messages

Discovery Timeline

  • 2026-05-20 - CVE-2026-5946 published to NVD
  • 2026-05-20 - Last updated in NVD database

Technical Details for CVE-2026-5946

Vulnerability Analysis

The vulnerability stems from improper input validation in named when handling DNS messages tagged with a CLASS other than Internet (IN). DNS supports multiple classes, including CHAOS and HESIOD, plus the meta-classes ANY and NONE valid only in queries and updates. BIND 9 includes code paths that assume class consistency or operate on IN-specific record types. When a non-IN message or a mixed-class record reaches these paths, internal invariants fail. The result is an assertion failure that terminates the named process. Recovery requires the service supervisor to restart named, and an attacker can re-trigger the condition immediately. The exploit requires no authentication, no user interaction, and operates over the network.

Root Cause

The root cause is missing or insufficient validation of the DNS message CLASS field across multiple processing routines: recursion, dynamic UPDATE handling, NOTIFY processing, and record-type dispatch logic. Code that expected only IN-class data reaches inconsistent state when presented with CHAOS, HESIOD, ANY, or NONE classes, triggering defensive assertions that abort the daemon.

Attack Vector

An unauthenticated attacker sends a single crafted DNS message to the affected named instance. The message may be a recursive query for a CHAOS or HESIOD record, a dynamic update referencing a meta-class, a forged NOTIFY, or a query mixing IN-specific record types with a non-IN CLASS. The packet traverses the vulnerable code path and triggers the assertion. See the ISC CVE-2026-5946 Documentation for protocol-level details.

Detection Methods for CVE-2026-5946

Indicators of Compromise

  • named process termination accompanied by assertion failure messages in syslog or the BIND log channel, often referencing class handling or message parsing routines
  • Sudden spikes of inbound DNS queries with CLASS values of CHAOS (3), HESIOD (4), ANY (255), or NONE (254) from untrusted sources
  • Repeated named service restarts logged by systemd, rc.d, or other supervisors within short intervals

Detection Strategies

  • Inspect DNS traffic with packet capture or flow analysis tools and alert on non-IN class queries originating outside expected administrative ranges
  • Correlate DNS server crash events with preceding query patterns to identify the triggering packet
  • Apply IDS signatures matching DNS headers where the QCLASS field is not 0x0001 (IN) for traffic destined to recursive resolvers

Monitoring Recommendations

  • Forward named logs and process supervisor events to a centralized logging platform and alert on assertion failures or unexpected restarts
  • Track DNS query class distribution as a baseline metric and trigger alerts on statistically significant deviations
  • Monitor availability of DNS resolution from dependent applications to detect downstream impact of resolver crashes

How to Mitigate CVE-2026-5946

Immediate Actions Required

  • Upgrade named to BIND 9.18.49, 9.20.23, or 9.21.22 as published by ISC, or the corresponding -S1 Supported Preview Edition release
  • Restrict recursion and dynamic update access to trusted networks using allow-recursion, allow-update, and allow-notify ACLs
  • Place affected resolvers behind DNS-aware filtering that drops or rate-limits non-IN class queries from untrusted sources

Patch Information

ISC has released fixed builds available from the official download site: ISC BIND 9.18.49, ISC BIND 9.20.23, and ISC BIND 9.21.22. Operators of the Supported Preview Edition should obtain the corresponding -S1 builds through their ISC support channel. Refer to the ISC CVE-2026-5946 Documentation for upgrade guidance.

Workarounds

  • No supported workaround fully prevents the assertion failure; upgrading is required per the ISC advisory
  • As a temporary measure, block inbound DNS messages with non-IN CLASS values at perimeter firewalls or DNS proxies where business requirements allow
  • Disable dynamic updates and restrict NOTIFY acceptance to known secondary servers to reduce the reachable attack surface until patching is complete
bash
# Example named.conf hardening to limit exposure
options {
    allow-recursion { 10.0.0.0/8; 192.168.0.0/16; };
    allow-update { none; };
    allow-notify { 192.0.2.10; 192.0.2.11; };
    minimal-responses yes;
};

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.