ISC BIND 9 Invalid Handling of Non-IN DNS Classes Leading to Assertion Failures

A vulnerability exists in ISC BIND 9's `named` component, specifically in versions 9.11.0 prior to 9.16.50, 9.18.0 prior to 9.18.48, 9.20.0 prior to 9.20.22, and 9.21.0 prior to 9.21.21. This vulnerability arises from improper handling of DNS messages that are not in the Internet class, such as those in the CHAOS or HESIOD classes, or messages that use meta-classes like ANY or NONE. When these specially crafted requests are processed through affected code paths—such as recursion, dynamic updates, zone change notifications, or the handling of IN-specific record types in non-IN data—assertion failures can occur, causing the `named` server to terminate unexpectedly. This issue affects both authoritative and resolver instances of BIND 9.

Impact

Exploitation of this vulnerability causes the `named` server to terminate unexpectedly, leading to a denial-of-service condition.

Remediation

Users can upgrade to BIND 9 versions 9.18.49, 9.20.23, or 9.21.22. For those using BIND Supported Preview Edition, versions 9.18.49-S1, 9.20.23-S1, or 9.21.22-S1 are available.