CVE-2026-5946 Overview
CVE-2026-5946 is a denial-of-service vulnerability in ISC BIND 9 named affecting how the resolver processes DNS messages whose CLASS field is not Internet (IN). Specially crafted requests using CHAOS, HESIOD, or meta-classes (ANY, NONE) in the question section can trigger assertion failures in named. The flaw reaches affected code paths through recursion, dynamic updates (UPDATE), zone change notifications (NOTIFY), or processing of IN-specific record types embedded in non-IN data. Successful exploitation crashes the DNS service, disrupting name resolution for all dependent clients. The issue is categorized under [CWE-20] Improper Input Validation.
Critical Impact
A remote, unauthenticated attacker can send crafted DNS messages over the network to crash named, producing a sustained denial of service against affected BIND 9 deployments.
Affected Products
- ISC BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, and 9.21.0 through 9.21.21
- ISC BIND 9 Supported Preview Edition 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1
- Authoritative and recursive named resolvers accepting non-IN class queries, dynamic updates, or NOTIFY messages
Discovery Timeline
- 2026-05-20 - CVE-2026-5946 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-5946
Vulnerability Analysis
The vulnerability stems from improper input validation in named when handling DNS messages tagged with a CLASS other than Internet (IN). DNS supports multiple classes, including CHAOS and HESIOD, plus the meta-classes ANY and NONE valid only in queries and updates. BIND 9 includes code paths that assume class consistency or operate on IN-specific record types. When a non-IN message or a mixed-class record reaches these paths, internal invariants fail. The result is an assertion failure that terminates the named process. Recovery requires the service supervisor to restart named, and an attacker can re-trigger the condition immediately. The exploit requires no authentication, no user interaction, and operates over the network.
Root Cause
The root cause is missing or insufficient validation of the DNS message CLASS field across multiple processing routines: recursion, dynamic UPDATE handling, NOTIFY processing, and record-type dispatch logic. Code that expected only IN-class data reaches inconsistent state when presented with CHAOS, HESIOD, ANY, or NONE classes, triggering defensive assertions that abort the daemon.
Attack Vector
An unauthenticated attacker sends a single crafted DNS message to the affected named instance. The message may be a recursive query for a CHAOS or HESIOD record, a dynamic update referencing a meta-class, a forged NOTIFY, or a query mixing IN-specific record types with a non-IN CLASS. The packet traverses the vulnerable code path and triggers the assertion. See the ISC CVE-2026-5946 Documentation for protocol-level details.
Detection Methods for CVE-2026-5946
Indicators of Compromise
- named process termination accompanied by assertion failure messages in syslog or the BIND log channel, often referencing class handling or message parsing routines
- Sudden spikes of inbound DNS queries with CLASS values of CHAOS (3), HESIOD (4), ANY (255), or NONE (254) from untrusted sources
- Repeated named service restarts logged by systemd, rc.d, or other supervisors within short intervals
Detection Strategies
- Inspect DNS traffic with packet capture or flow analysis tools and alert on non-IN class queries originating outside expected administrative ranges
- Correlate DNS server crash events with preceding query patterns to identify the triggering packet
- Apply IDS signatures matching DNS headers where the QCLASS field is not 0x0001 (IN) for traffic destined to recursive resolvers
Monitoring Recommendations
- Forward named logs and process supervisor events to a centralized logging platform and alert on assertion failures or unexpected restarts
- Track DNS query class distribution as a baseline metric and trigger alerts on statistically significant deviations
- Monitor availability of DNS resolution from dependent applications to detect downstream impact of resolver crashes
How to Mitigate CVE-2026-5946
Immediate Actions Required
- Upgrade named to BIND 9.18.49, 9.20.23, or 9.21.22 as published by ISC, or the corresponding -S1 Supported Preview Edition release
- Restrict recursion and dynamic update access to trusted networks using allow-recursion, allow-update, and allow-notify ACLs
- Place affected resolvers behind DNS-aware filtering that drops or rate-limits non-IN class queries from untrusted sources
Patch Information
ISC has released fixed builds available from the official download site: ISC BIND 9.18.49, ISC BIND 9.20.23, and ISC BIND 9.21.22. Operators of the Supported Preview Edition should obtain the corresponding -S1 builds through their ISC support channel. Refer to the ISC CVE-2026-5946 Documentation for upgrade guidance.
Workarounds
- No supported workaround fully prevents the assertion failure; upgrading is required per the ISC advisory
- As a temporary measure, block inbound DNS messages with non-IN CLASS values at perimeter firewalls or DNS proxies where business requirements allow
- Disable dynamic updates and restrict NOTIFY acceptance to known secondary servers to reduce the reachable attack surface until patching is complete
# Example named.conf hardening to limit exposure
options {
allow-recursion { 10.0.0.0/8; 192.168.0.0/16; };
allow-update { none; };
allow-notify { 192.0.2.10; 192.0.2.11; };
minimal-responses yes;
};
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
