CVE-2026-5946: BIND 9 `named` Assertion Failure Vulnerability

CVE-2026-5946 identifies multiple vulnerabilities within the named component of BIND 9, arising from improper handling of DNS messages employing a CLASS other than Internet (IN), such as CHAOS or HESIOD, or DNS messages with meta-classes (ANY or NONE) in the question section. An attacker can trigger these flaws by sending specially crafted DNS requests to a vulnerable BIND 9 server. The affected code paths include recursion, dynamic updates (UPDATE), zone change notifications (NOTIFY), and processing of IN-specific record types within non-IN data. Successful exploitation can lead to assertion failures in named, potentially causing a denial-of-service condition. The vulnerability impacts BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.

Attack Chain

1. The attacker identifies a vulnerable BIND 9 server.
2. The attacker crafts a malicious DNS request. This request leverages a DNS CLASS other than IN, such as CHAOS, or includes meta-classes such as ANY or NONE in the question section.
3. The attacker sends the crafted DNS request to the target BIND 9 server.
4. The named process receives and parses the malicious DNS request.
5. Due to the unexpected CLASS or meta-class, the named process enters a vulnerable code path during recursion, dynamic updates, zone change notifications, or processing of IN-specific record types in non-IN data.
6. Within the vulnerable code path, the named process attempts an invalid operation based on the malicious request.
7. This invalid operation triggers an assertion failure within the named process.
8. The assertion failure may cause the named process to terminate or become unstable, resulting in a denial-of-service.

Impact

Successful exploitation of CVE-2026-5946 leads to assertion failures within the named process, causing potential instability or termination of the service. This results in a denial-of-service condition, disrupting DNS resolution services for affected networks and users. The severity of the impact depends on the role of the affected BIND 9 server; critical infrastructure DNS servers experiencing this issue can cause widespread outages.

Recommendation

• Upgrade BIND 9 to a patched version (>= 9.16.51, >= 9.18.49, >= 9.20.23, >= 9.21.22) to remediate CVE-2026-5946.
• Deploy the Sigma rule “Detect DNS queries with non-IN class” to identify potentially malicious DNS requests targeting this vulnerability.
• Monitor DNS server logs for assertion failures in the named process, which may indicate exploitation attempts related to CVE-2026-5946.
• Consider implementing rate limiting and request filtering to mitigate the impact of malicious DNS requests.