DNS Message Handling Vulnerabilities in BIND by ISC
CVE-2026-5946

7.5HIGH

Key Information:

Vendor: Isc
Status: Bind 9
Vendor: CVE Published:; 20 May 2026

Badges

👾 Exploit Exists

What is CVE-2026-5946?

Several vulnerabilities have been detected in the named component of BIND related to the processing of DNS messages that are outside the Internet (IN) class, such as CHAOS and HESIOD, as well as those indicating meta-classes like ANY or NONE. These vulnerabilities may lead to assertion failures in various contexts including recursion, dynamic updates, zone change notifications, or when processing IN-specific record types using non-IN data. Users of affected versions should consider immediate remediation to mitigate risk.

Affected Version(s)

BIND 9 9.11.0 <= 9.16.50

BIND 9 9.18.0 <= 9.18.48

BIND 9 9.20.0 <= 9.20.22

References

https://kb.isc.org/docs/cve-2026-5946

vendor-advisory

https://downloads.isc.org/isc/bind9/9.18.49

patch

https://downloads.isc.org/isc/bind9/9.20.23

patch

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

👾
Exploit known to exist
May 20, 2026
Vulnerability published
May 20, 2026
Vulnerability Reserved
Apr 9, 2026

Credit

ISC would like to thank Mcsky23 for bringing this vulnerability to our attention.

CVE-2026-5946 Data

JSON

Isc

Badges

What is CVE-2026-5946?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit