CVE-2026-5946
published 2026-05-20CVE-2026-5946: Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`…
PriorityP351high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.81%
75.9th percentile
Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`.
This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| isc | bind | — | — |
| isc | bind | 9.11.0 – 9.16.50 | — |
| isc | bind | >= 9.18.0 < 9.18.49 | 9.18.49 |
| isc | bind | >= 9.20.0 < 9.20.23 | 9.20.23 |
| isc | bind | >= 9.21.0 < 9.21.22 | 9.21.22 |
| isc | bind_9 | 9.11.0 – 9.16.50 | — |
| isc | bind_9 | 9.11.3-S1 – 9.16.50-S1 | — |
| isc | bind_9 | 9.18.0 – 9.18.48 | — |
| isc | bind_9 | 9.18.11-S1 – 9.18.48-S1 | — |
| isc | bind_9 | 9.20.0 – 9.20.22 | — |
| isc | bind_9 | 9.20.9-S1 – 9.20.22-S1 | — |
| isc | bind_9 | 9.21.0 – 9.21.21 | — |
| isc | dhcp | — | — |
| ubuntu | bind9 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Bind vulnerabilities
vendor_ubuntu·2026-05-21·CVSS 7.5
CVE-2026-5950 [HIGH] Bind vulnerabilities
Title: Bind vulnerabilities
Summary: Several security issues were fixed in Bind.
Vitaly Simonovich discovered that Bind could exhaust memory during GSS-API
TKEY negotiation. A remote attacker could possibly use this issue to cause
Bind to use excessive resources, leading to a denial of service.
(CVE-2026-3039)
Shuhan Zhang discovered that Bind incorrectly handled self-pointed glue
records. A remote attacker could possibly use this issue to use Bind in
denial of service amplification attacks against other systems.
(CVE-2026-3592)
Naresh Kandula Parmar discovered that Bind incorrectly handled memory in
the DNS-over-HTTPS implementation. A remote attacker could possibly use
this issue to cause Bind to crash, resulting in a denial of service, or
execute arbitrary code. This issue only affe
Red Hat
bind: Invalid handling of CLASS != IN
vendor_redhat·2026-05-21·CVSS 7.5
CVE-2026-5946 [HIGH] bind: Invalid handling of CLASS != IN
bind: Invalid handling of CLASS != IN
No description is available for this CVE.
Package: bind (Red Hat Enterprise Linux 10) - Affected
Package: bind (Red Hat Enterprise Linux 6) - Affected
Package: bind (Red Hat Enterprise Linux 7) - Affected
Package: bind (Red Hat Enterprise Linux 8) - Affected
Package: bind9.16 (Red Hat Enterprise Linux 8) - Affected
Package: bind (Red Hat Enterprise Linux 9) - Affected
Package: bind9.18 (Red Hat Enterprise Linux 9) - Affected
Package: dhcp (Red Hat Enterprise Linux 9) - Affected
Package: rhcos (Red Hat OpenShift Container Platform 4) - Affected
GHSA
GHSA-cqgq-ff3f-rj7r: Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `H
ghsa_unreviewed·2026-05-20
CVE-2026-5946 [HIGH] CWE-20 GHSA-cqgq-ff3f-rj7r: Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `H
Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`.
This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.
VulDB
ISC BIND up to 9.21.21 named recursion (Nessus ID 315661)
vuldb·2026-05-20·CVSS 7.5
CVE-2026-5946 [HIGH] ISC BIND up to 9.21.21 named recursion (Nessus ID 315661)
A vulnerability described as problematic has been identified in ISC BIND up to 9.21.21. Affected is an unknown function of the component named. Such manipulation leads to uncontrolled recursion.
This vulnerability is referenced as CVE-2026-5946. It is possible to launch the attack remotely. No exploit is available.
Upgrading the affected component is recommended.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-5946 dhcp: Invalid handling of CLASS != IN [fedora-all]
bugzilla·2026-06-03·CVSS 7.5
CVE-2026-5946 [HIGH] CVE-2026-5946 dhcp: Invalid handling of CLASS != IN [fedora-all]
CVE-2026-5946 dhcp: Invalid handling of CLASS != IN [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
ISC DHCP is not affected. It does not process any DNS messages. This is a BIND server-side issue.
ISC DHCP uses portions of the ISC BIND libraries (primarily libdns, omapi, and libisccfg) only to support DDNS (TSIG support, DNS message construction/parsing, DHCID generation), OMAPI related operations, basic functions (configuration handling, data structures, logging, networking primitives).
Bugzilla
CVE-2026-5946 bind: Invalid handling of CLASS != IN [fedora-all]
bugzilla·2026-06-03·CVSS 7.5
CVE-2026-5946 [HIGH] CVE-2026-5946 bind: Invalid handling of CLASS != IN [fedora-all]
CVE-2026-5946 bind: Invalid handling of CLASS != IN [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
*** This bug has been marked as a duplicate of bug 2480121 ***
Bugzilla
CVE-2026-5946 bind: Invalid handling of CLASS != IN
bugzilla·2026-05-19·CVSS 7.5
CVE-2026-5946 [HIGH] CVE-2026-5946 bind: Invalid handling of CLASS != IN
CVE-2026-5946 bind: Invalid handling of CLASS != IN
Multiple flaws have been identified in named related to the handling of DNS messages whose CLASS is not Internet (IN) — for example, CHAOS or HESIOD, or DNS messages that specify meta-classes (ANY or NONE) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (UPDATE), zone change notifications (NOTIFY), or processing of IN-specific record types in non-IN data — can cause assertion failures in named.
Hackernews
⚡ Weekly Recap: New Linux Flaw, PAN-OS Exploit, AI-Powered Attacks, OAuth Phishing and More
blogs_hackernews·2026-06-01·CVSS 7.8
CVE-2026-0257 [HIGH] ⚡ Weekly Recap: New Linux Flaw, PAN-OS Exploit, AI-Powered Attacks, OAuth Phishing and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: New Linux Flaw, PAN-OS Exploit, AI-Powered Attacks, OAuth Phishing and More
Monday hit like a cron job with anger issues.
A busted auth path here, a repo-side faceplant there, some "patched-ish" thing already getting chewed on in the wild, and then the usual bonus round: poisoned dev tools, sketchy forum chatter, phishing kits pretending to be productivity, and AI lowering the bar for people who already thought 'curl | sh' had a personality.
The vibe is simple: old bugs, new wrappers, faster abuse. Patch the obvious crap first. Then read the rest.
## ⚡ Threat of the Week
PAN-OS GlobalProtect Authenticati
https://downloads.isc.org/isc/bind9/9.18.49https://downloads.isc.org/isc/bind9/9.20.23https://downloads.isc.org/isc/bind9/9.21.22https://kb.isc.org/docs/cve-2026-5946https://access.redhat.com/errata/RHSA-2026:20334https://access.redhat.com/errata/RHSA-2026:23360https://access.redhat.com/errata/RHSA-2026:24338https://access.redhat.com/errata/RHSA-2026:24339https://access.redhat.com/errata/RHSA-2026:24367https://access.redhat.com/errata/RHSA-2026:24368https://access.redhat.com/security/cve/CVE-2026-5946https://bugzilla.redhat.com/show_bug.cgi?id=2479771https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-5946.json
2026-05-20
Published