Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.

The remote Debian 12 / 13 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-6285 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-6285-1                   security@debian.org     https://www.debian.org/security/                       Moritz Muehlenhoff     May 20, 2026                          https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : bind9     CVE ID         : CVE-2026-3039 CVE-2026-3592 CVE-2026-5946                      CVE-2026-5950 CVE-2026-5947 CVE-2026-3593

    Several vulnerabilities were discovered in BIND, a DNS server     implementation, which may result in denial of service.

    For the oldstable distribution (bookworm), these problems have been fixed     in version 1:9.18.49-1~deb12u1.

    For the stable distribution (trixie), these problems have been fixed in     version 1:9.20.23-1~deb13u1.

    We recommend that you upgrade your bind9 packages.

    For the detailed security status of bind9 please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/bind9

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Debian Linux - bind9 - None (CVE-2026-5946)

Note that Nessus relies on the presence of the package as reported by the vendor.

The version of ISC BIND installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the cve-2026-5946 advisory.

  - Debian Linux - bind9 - None (CVE-2026-5946)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
315942	Debian dsa-6285 : bind9 - security update	Nessus	Debian Local Security Checks	high
315765	Linux Distros Unpatched Vulnerability : CVE-2026-5946	Nessus	Misc.	critical
315661	ISC BIND 9.11.0 < 9.18.49 / 9.11.3-S1 < 9.18.49-S1 / 9.18.0 < 9.18.49 / 9.18.11-S1 < 9.18.49-S1 / 9.20.0 < 9.20.23 / 9.20.9-S1 < 9.20.23-S1 / 9.21.0 < 9.21.22 Assertion Failure (cve-2026-5946)	Nessus	DNS	high

Detections

Analytics

CVE-2026-5946

high

Tenable Plugins

high

critical

high