ZeroPath at Black Hat USA 2026

BIND 9 CVE-2026-5946: Overview of Assertion Failures via Non-IN Class DNS Messages

A brief summary of CVE-2026-5946, a high severity denial of service vulnerability in ISC BIND 9 caused by improper handling of non-Internet class DNS messages. Includes technical details, patch analysis, and affected version ranges.

CVE Analysis

8 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-20

BIND 9 CVE-2026-5946: Overview of Assertion Failures via Non-IN Class DNS Messages
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A set of closely related assertion failures in ISC BIND 9's handling of non-Internet class DNS messages means that a single unauthenticated packet can terminate a named process, taking down both authoritative and recursive DNS service. Given that BIND 9 remains the most widely deployed DNS software on the Internet, used by financial institutions, government agencies, ISPs, and universities worldwide, CVE-2026-5946 and its CVSS 7.5 score deserve prompt attention from any team running this software in production.

Technical Information

Root Cause

The core issue is that multiple code paths inside named implicitly assume they are operating on Internet (IN) class data. DNS supports several class values beyond IN, including CHAOS (used historically for network topology queries and commonly for version.bind responses) and HESIOD (used in some legacy directory services). The DNS protocol also defines meta-classes ANY and NONE for use in certain operations.

When a DNS message arrives with a non-IN class value and is routed into one of the following operations, the assumptions embedded in the code break down:

  • Recursion: The resolver logic assumes IN class throughout its processing chain.
  • Dynamic updates (UPDATE): The update handling code processes records using IN-specific type handlers.
  • Zone change notifications (NOTIFY): Notification processing does not account for non-IN class contexts.
  • IN-specific record type processing: When record types that only make sense in the IN class (such as A or AAAA records) are encountered in non-IN data, type confusion occurs.

The result is that internal consistency checks, implemented as C language assert() calls or ISC's equivalent REQUIRE() / INSIST() macros, fire and call abort(), terminating the named process immediately.

Weakness Classification

The vulnerability maps to five distinct CWE entries, which together paint a clear picture of the attack surface:

CWENameRole in the Vulnerability
CWE-20Improper Input ValidationNon-IN class values are not filtered before reaching sensitive code paths
CWE-125Out-of-bounds ReadMemory access violations during parsing of non-IN class record data
CWE-617Reachable AssertionThe direct crash mechanism; assertions intended as internal guards are reachable via external input
CWE-754Improper Check for Exceptional ConditionsMeta-class values (ANY, NONE) in the question section are not handled as exceptional cases
CWE-843Type ConfusionIN-specific record type handlers process non-IN data, accessing resources with incompatible type expectations

Attack Flow

  1. The attacker identifies a target running a vulnerable version of BIND 9 (any version from 9.11.0 through 9.21.21).
  2. The attacker constructs a DNS message with the CLASS field set to a non-IN value. For example, setting the QCLASS to CHAOS (value 3), HESIOD (value 4), ANY (value 255), or NONE (value 254).
  3. The message type is chosen to reach one of the vulnerable code paths: a standard recursive query, an UPDATE message, or a NOTIFY message.
  4. The attacker sends this single crafted packet to the target server over UDP or TCP on port 53.
  5. The named process receives the message, routes it into the affected code path, and hits a reachable assertion.
  6. The assertion calls abort(), and the named process terminates. DNS service is completely interrupted until the process is restarted.

No authentication is required. No user interaction is needed. The attack complexity is low. Both authoritative servers and resolvers are vulnerable, meaning the attack surface encompasses essentially any BIND 9 instance that accepts DNS traffic from untrusted networks.

Patch Information

ISC addressed CVE-2026-5946 in BIND 9 versions 9.18.49, 9.20.23, and 9.21.22 (as well as Supported Preview Editions 9.18.49-S1 and 9.20.23-S1), published on May 20, 2026. The fix is tracked under GitLab issue GL #5784 with the commit hash 7ce6ce37b1 on the 9.18 branch.

Patch Design

Rather than attempting to individually fix every assertion-triggering code path involving non-IN class messages, ISC chose a defense-in-depth approach: completely disable recursion, dynamic updates (UPDATE), and zone change notifications (NOTIFY) for views whose class is anything other than IN. This is an elegant solution because those protocol operations are fundamentally Internet-class concepts. There is no legitimate operational reason to recurse or accept dynamic updates in a CHAOS or HESIOD view. Authoritative service for non-IN zones, such as serving version.bind in class CHAOS, is explicitly preserved and continues to function normally.

Additional Safeguards

The patch introduces two proactive safeguards beyond disabling the vulnerable operations:

Startup warnings and configuration checking: If a server is configured with recursion yes; inside a non-IN view, named will now log a warning at startup. The same condition is flagged by named-checkconf, allowing administrators to catch and correct misconfigured zones before they are deployed.

FORMERR rejection of meta-class abuse: UPDATE and NOTIFY messages that specify the meta-classes ANY or NONE in the question section are now immediately rejected with a FORMERR (Format Error) response code. This closes a separate but closely related attack vector where meta-class values were being improperly processed, potentially reaching assertion-triggering code paths.

Upgrade Matrix

Affected Version RangeFixed VersionAvailability
9.18.0 through 9.18.489.18.49ISC Downloads
9.20.0 through 9.20.229.20.23ISC Downloads
9.21.0 through 9.21.219.21.22ISC Downloads
9.18.11-S1 through 9.18.48-S19.18.49-S1Available for eligible support customers
9.20.9-S1 through 9.20.22-S19.20.23-S1Available for eligible support customers

Versions 9.11.0 through 9.16.50 and their corresponding S1 editions are also affected but are no longer supported. Organizations on those branches must migrate to a currently supported release.

Post-Upgrade Behavioral Changes

Administrators should be aware that the patched versions introduce new default behaviors. Recursion, dynamic updates, and zone change notifications are now explicitly disabled for views with a class other than IN. Servers configured with recursion enabled in a non-IN view will log a warning at startup. UPDATE and NOTIFY messages specifying ANY or NONE meta-classes are now strictly rejected with a FORMERR response. These changes may affect monitoring baselines and should be accounted for during deployment.

Interim Workarounds

For organizations unable to patch immediately, ISC recommends two configuration-level mitigations: do not configure zones with a class other than IN, and do not expose servers that allow DNS Dynamic Update to the general Internet.

Affected Systems and Versions

The following BIND 9 version ranges are confirmed vulnerable:

  • 9.11.0 through 9.16.50 (end of life; no patches available; migration required)
  • 9.18.0 through 9.18.48
  • 9.20.0 through 9.20.22
  • 9.21.0 through 9.21.21
  • 9.11.3-S1 through 9.16.50-S1 (end of life; no patches available; migration required)
  • 9.18.11-S1 through 9.18.48-S1
  • 9.20.9-S1 through 9.20.22-S1

Both authoritative DNS servers and recursive resolvers running any of these versions are affected. Any named instance that accepts DNS traffic from untrusted sources and has not been patched is vulnerable, regardless of whether non-IN class zones are explicitly configured, because the vulnerable code paths can be reached through crafted queries alone.

Vendor Security History

ISC maintains a transparent security posture with BIND 9, operating under an open source model with MPL 2.0 licensing and a rigorous vulnerability disclosure policy. The organization actively supports multiple software branches simultaneously.

An interesting development in ISC's security practices is the use of LLM-based code analysis, which has reportedly been finding historic issues in the BIND 9 codebase. This effort has been significant enough to delay the upcoming BIND 9.22 release. The proactive use of automated analysis tools to surface legacy vulnerabilities suggests that CVE-2026-5946 may have been identified through this systematic review process rather than through external reports or exploitation.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization