CVE-2026-5946
ISC · BIND 9
Multiple flaws in the BIND 9 `named` component allow for improper input validation and out-of-bounds reads when handling non-Internet DNS message classes.
Executive summary
A critical vulnerability in the ISC BIND 9 DNS server software allows for potential service disruption or crashes due to improper handling of specific DNS message classes.
Vulnerability
This vulnerability involves improper input validation (CWE-20), out-of-bounds read (CWE-125), and reachable assertions (CWE-617) within named. It can be triggered by unauthenticated remote attackers sending specially crafted DNS queries containing non-standard classes like CHAOS, HESIOD, or meta-classes.
Business impact
Successful exploitation of this flaw can lead to a denial-of-service (DoS) condition, crashing the DNS service and rendering name resolution unavailable for dependent infrastructure. Given the CVSS score of 7.5, this poses a significant risk to network availability and business continuity.
Remediation
Immediate Action: Upgrade to the patched releases: 9.18.49, 9.20.23, 9.21.22, 9.18.49-S1, or 9.20.23-S1.
Proactive Monitoring: Monitor named service logs for frequent restarts or crash reports coinciding with unusual DNS query traffic patterns.
Compensating Controls: Implement firewall rules to drop non-standard DNS query traffic if your environment does not require support for CHAOS or HESIOD classes.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Organizations running BIND 9 must prioritize patching to the versions listed above. Given the potential for automated exploitation, failure to address this flaw could lead to significant infrastructure outages.