Cyber Resilience

CVE-2026-5946

High

Published: 20 May 2026

Published
20 May 2026
Modified
21 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0049 38.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5946 is a high-severity Improper Input Validation (CWE-20) vulnerability in Isc Bind. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially…

more

crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote exploitation of public-facing BIND named via crafted non-IN DNS messages directly enables T1190 and leads to application crash/DoS via T1499.004.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-1519Same product: Isc Bind
CVE-2026-3104Same product: Isc Bind
CVE-2026-3039Same product: Isc Bind
CVE-2026-5947Same product: Isc Bind
CVE-2026-3593Same product: Isc Bind
CVE-2026-44319Shared CWE-20, CWE-617
CVE-2026-44325Shared CWE-20, CWE-843
CVE-2026-40890Shared CWE-125
CVE-2026-37227Shared CWE-617
CVE-2026-30077Shared CWE-20

Affected Assets

isc
bind
9.11.0 — 9.16.50 · 9.18.0 — 9.18.49 · 9.20.0 — 9.20.23

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-20 CWE-754

Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.

addresses: CWE-754

Requires detection and response to audit logging failures as an unusual or exceptional condition.

addresses: CWE-754

Implements detection of unusual or exceptional conditions followed by safe mode entry, reducing the window for exploitation of unchecked conditions.

addresses: CWE-754

Training ensures users perform required checks for unusual or exceptional conditions as part of contingency roles, limiting attacker leverage from skipped validations.

addresses: CWE-754

IR testing directly validates checks for unusual or exceptional conditions that could indicate security incidents.

addresses: CWE-20

Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.

addresses: CWE-754

Requires ongoing monitoring of organization-defined metrics and analysis, enabling checks for unusual or exceptional conditions.

addresses: CWE-754

Requires detection of unusual conditions followed by a controlled transition to the defined failure state.

References