PT-2026-42163 · Isc+3 · Bind 9+3
Published
2026-05-17
·
Updated
2026-05-28
·
CVE-2026-5946
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
BIND 9 versions 9.11.0 through 9.16.50
BIND 9 versions 9.18.0 through 9.18.48
BIND 9 versions 9.20.0 through 9.20.22
BIND 9 versions 9.21.0 through 9.21.21
BIND 9 versions 9.11.3-S1 through 9.16.50-S1
BIND 9 versions 9.18.11-S1 through 9.18.48-S1
BIND 9 versions 9.20.9-S1 through 9.20.22-S1
Description
Multiple flaws exist in
named regarding the handling of DNS messages where the CLASS is not Internet (IN), such as CHAOS or HESIOD, or messages specifying meta-classes like ANY or NONE in the question section. Specially crafted requests targeting code paths related to recursion, dynamic updates (UPDATE), zone change notifications (NOTIFY), or the processing of IN-specific record types in non-IN data can trigger assertion failures in named.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Out of bounds Read
RCE
Assertion Failure
Type Confusion
Improper Check for Exceptional Conditions
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Bind 9
Bind Server
Linuxmint
Ubuntu