7.5

CVE-2026-5946

Medienbericht

Invalid handling of CLASS != IN

Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`.
This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
IscBind SwEdition- Version >= 9.11.0 <= 9.16.50
IscBind SwEdition- Version >= 9.18.0 < 9.18.49
IscBind SwEdition- Version >= 9.20.0 < 9.20.23
IscBind SwEdition- Version >= 9.21.0 < 9.21.22
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.81% 0.759
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-officer@isc.org 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

CWE-1287 Improper Validation of Specified Type of Input

The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-617 Reachable Assertion

The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

CWE-754 Improper Check for Unusual or Exceptional Conditions

The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')

The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
05.06.2026 12:48
https://downloads.isc.org/isc/bind9/9.18.49
Patch
https://downloads.isc.org/isc/bind9/9.20.23
Patch
https://downloads.isc.org/isc/bind9/9.21.22
Patch
https://kb.isc.org/docs/cve-2026-5946
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:20334
https://access.redhat.com/errata/RHSA-2026:23360
https://access.redhat.com/errata/RHSA-2026:24338
https://access.redhat.com/errata/RHSA-2026:24339
https://access.redhat.com/errata/RHSA-2026:24367
https://access.redhat.com/errata/RHSA-2026:24368
https://access.redhat.com/security/cve/CVE-2026-5946
https://bugzilla.redhat.com/show_bug.cgi?id=2479771
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-5946.json