{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-5946/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-5946"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["BIND 9"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","dns","bind9","CVE-2026-5946"],"_cs_type":"advisory","_cs_vendors":["ISC"],"content_html":"\u003cp\u003eCVE-2026-5946 identifies multiple vulnerabilities within the \u003ccode\u003enamed\u003c/code\u003e component of BIND 9, arising from improper handling of DNS messages employing a CLASS other than Internet (\u003ccode\u003eIN\u003c/code\u003e), such as \u003ccode\u003eCHAOS\u003c/code\u003e or \u003ccode\u003eHESIOD\u003c/code\u003e, or DNS messages with meta-classes (\u003ccode\u003eANY\u003c/code\u003e or \u003ccode\u003eNONE\u003c/code\u003e) in the question section. An attacker can trigger these flaws by sending specially crafted DNS requests to a vulnerable BIND 9 server. The affected code paths include recursion, dynamic updates (\u003ccode\u003eUPDATE\u003c/code\u003e), zone change notifications (\u003ccode\u003eNOTIFY\u003c/code\u003e), and processing of \u003ccode\u003eIN\u003c/code\u003e-specific record types within non-\u003ccode\u003eIN\u003c/code\u003e data. Successful exploitation can lead to assertion failures in \u003ccode\u003enamed\u003c/code\u003e, potentially causing a denial-of-service condition. The vulnerability impacts BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable BIND 9 server.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious DNS request. This request leverages a DNS CLASS other than \u003ccode\u003eIN\u003c/code\u003e, such as \u003ccode\u003eCHAOS\u003c/code\u003e, or includes meta-classes such as \u003ccode\u003eANY\u003c/code\u003e or \u003ccode\u003eNONE\u003c/code\u003e in the question section.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted DNS request to the target BIND 9 server.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003enamed\u003c/code\u003e process receives and parses the malicious DNS request.\u003c/li\u003e\n\u003cli\u003eDue to the unexpected CLASS or meta-class, the \u003ccode\u003enamed\u003c/code\u003e process enters a vulnerable code path during recursion, dynamic updates, zone change notifications, or processing of \u003ccode\u003eIN\u003c/code\u003e-specific record types in non-\u003ccode\u003eIN\u003c/code\u003e data.\u003c/li\u003e\n\u003cli\u003eWithin the vulnerable code path, the \u003ccode\u003enamed\u003c/code\u003e process attempts an invalid operation based on the malicious request.\u003c/li\u003e\n\u003cli\u003eThis invalid operation triggers an assertion failure within the \u003ccode\u003enamed\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eThe assertion failure may cause the \u003ccode\u003enamed\u003c/code\u003e process to terminate or become unstable, resulting in a denial-of-service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5946 leads to assertion failures within the \u003ccode\u003enamed\u003c/code\u003e process, causing potential instability or termination of the service. This results in a denial-of-service condition, disrupting DNS resolution services for affected networks and users. The severity of the impact depends on the role of the affected BIND 9 server; critical infrastructure DNS servers experiencing this issue can cause widespread outages.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade BIND 9 to a patched version (\u0026gt;= 9.16.51, \u0026gt;= 9.18.49, \u0026gt;= 9.20.23, \u0026gt;= 9.21.22) to remediate CVE-2026-5946.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect DNS queries with non-IN class\u0026rdquo; to identify potentially malicious DNS requests targeting this vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor DNS server logs for assertion failures in the \u003ccode\u003enamed\u003c/code\u003e process, which may indicate exploitation attempts related to CVE-2026-5946.\u003c/li\u003e\n\u003cli\u003eConsider implementing rate limiting and request filtering to mitigate the impact of malicious DNS requests.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-20T13:19:46Z","date_published":"2026-05-20T13:19:46Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-5946-bind9-assertion-failure/","summary":"Multiple flaws in BIND 9's `named` component, specifically versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1, can be exploited by sending specially crafted DNS requests with non-`IN` CLASS or meta-classes, leading to assertion failures and potential denial-of-service.","title":"CVE-2026-5946: BIND 9 `named` Assertion Failure Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-5946-bind9-assertion-failure/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-5946","version":"https://jsonfeed.org/version/1.1"}