CVE-2026-5946

ISC · BIND 9

Multiple flaws in the BIND 9 `named` component allow for improper input validation and out-of-bounds reads when handling non-Internet DNS message classes.

Executive summary

A critical vulnerability in the ISC BIND 9 DNS server software allows for potential service disruption or crashes due to improper handling of specific DNS message classes.

Vulnerability

This vulnerability involves improper input validation (CWE-20), out-of-bounds read (CWE-125), and reachable assertions (CWE-617) within named. It can be triggered by unauthenticated remote attackers sending specially crafted DNS queries containing non-standard classes like CHAOS, HESIOD, or meta-classes.

Business impact

Successful exploitation of this flaw can lead to a denial-of-service (DoS) condition, crashing the DNS service and rendering name resolution unavailable for dependent infrastructure. Given the CVSS score of 7.5, this poses a significant risk to network availability and business continuity.

Remediation

Immediate Action: Upgrade to the patched releases: 9.18.49, 9.20.23, 9.21.22, 9.18.49-S1, or 9.20.23-S1.

Proactive Monitoring: Monitor named service logs for frequent restarts or crash reports coinciding with unusual DNS query traffic patterns.

Compensating Controls: Implement firewall rules to drop non-standard DNS query traffic if your environment does not require support for CHAOS or HESIOD classes.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Organizations running BIND 9 must prioritize patching to the versions listed above. Given the potential for automated exploitation, failure to address this flaw could lead to significant infrastructure outages.