CVE-2006-0987

CVE-2006-0987 affects ISC BIND configured as a caching DNS server, where the default setup before 9.4.1-P1 allows recursive queries and leaks delegation information to arbitrary IPs, enabling remote attackers to trigger traffic amplification and a denial of service via spoofed DNS queries. The co...

CVE-2023-50868

CVE-2023-50868 is a DNSSEC-related denial of service issue (NSEC3 Closest Encloser proof) that can cause CPU exhaustion. The connected documents confirm impact on DNS implementations such as Unbound and BIND/BIND9 and describe the root cause as processors performing thousands of hash iterations f...

CVE-2012-1667

CVE-2012-1667 affects ISC BIND 9.x before patched releases (examples: 9.7.6-P1, 9.8.3-P1, 9.9.1-P1; and 9.4-ESV/9.6-ESV before listed P1s). The vulnerability arises from improper handling of resource records with a zero-length RDATA, enabling remote DNS servers to trigger a DoS (daemon crash or d...

CVE-2023-50387

CVE-2023-50387 (KeyTrap) affects DNSSEC processing in DNS resolvers. Multiple advisories note excessive CPU/DoS risk when validating DNSKEY/RRSIG in zones with many records. Affected products include Bind (bind9) and Unbound across Linux distributions (e.g., AL2, AlmaLinux) with patches/released ...

CVE-2021-25216

CVE-2021-25216 affects BIND: in 64-bit builds it can trigger a buffer over-read, and in 32-bit builds a buffer overflow with potential remote code execution, when GSS-TSIG is enabled. The ISC SPNEGO implementation is being removed from the April releases of BIND 9.11 and 9.16 (and 9.17 already dr...

CVE-2020-8625

CVE-2020-8625 concerns a buffer overflow in BIND’s SPNEGO/GSS-API security policy implementation. The issue affects BIND versions spanning 9.5.0 up to 9.11.27, 9.12.0 up to 9.16.11, and specific 9.11.3-S1 to 9.11.27-S1 and 9.16.8-S1 to 9.16.11-S1, plus 9.17.0–9.17.1 in development branches. A vul...

CVE-2014-8500

CVE-2014-8500 affects ISC BIND 9.0.x–9.8.x, 9.9.0–9.9.6, and 9.10.0–9.10.1, where delegation chaining is not limited, enabling remote attackers to cause memory exhaustion or a named crash via a large or infinite number of referrals. Impact: denial of service; all recursive resolvers are affected,...

CVE-2020-8616

CVE-2020-8616 (ISC BIND): A denial-of-service exists due to failure to limit the number of fetches when processing referrals. A remote attacker can craft referrals to cause a recursing server to perform a very large number of fetches, degrading performance and enabling potential reflection attack...

CVE-2015-4620

Vulnerability CVE-2015-4620 affects ISC BIND when configured as a DNSSEC-validating recursive resolver. name.c in BIND 9.7.x–9.9.x before 9.9.7-P1 and 9.10.x before 9.10.2-P2 can crash the server (assertion failure and daemon exit) after crafting zone data and issuing a query for a name in that z...

CVE-2008-0122

CVE-2008-0122 describes an off-by-one error in the inet_network function in libbind used by ISC BIND 9.4.2 and earlier. The vulnerability affects those BIND versions (and is used in libc on FreeBSD 6.2–7.0-PRERELEASE), enabling context-dependent attackers to trigger memory corruption that can cau...

CVE-2020-8617

CVE-2020-8617 involves ISC BIND and is triggered by a logic error in the TSIG validity check (tsig.c). A remote attacker who can guess or know the TSIG key name could cause the server to reach an inconsistent state or trigger an assertion failure, leading to a denial of service. Several connected...

CVE-2017-3141

CVE-2017-3141 arises from an unquoted service path in the Windows installer for BIND, enabling local privilege escalation if host file permissions permit. Affected versions include BIND 9.2.6-P2→9.2.9, 9.3.2-P1→9.3.6, 9.4.0→9.8.8, 9.9.0→9.9.10, 9.10.0→9.10.5, 9.11.0→9.11.1, 9.9.3-S1→9.9.10-S1, an...

CVE-2023-3341

CVE-2023-3341 describes a stack-exhaustion DoS in ISC BIND’s control channel; recursive parsing of control channel messages can overflow stack, causing named to terminate. Affected are BIND/NAMED versions across multiple series (e.g., 9.2.0–9.16.43, 9.18.0–9.18.18, 9.19.0–9.19.16, plus S1 variant...

CVE-2021-25215

CVE-2021-25215 affects BIND 9 upstream and downstream builds. The vulnerability is an assertion failure in the named process when handling DNAME-related queries, which can cause named to terminate. Affected versions include BIND 9.0.0–9.11.29, 9.12.0–9.16.13, and specific S1/“Supported Preview” b...

CVE-2020-8619

CVE-2020-8619 affects ISC BIND9: versions 9.11.14–9.11.19, 9.14.9–9.14.12, and 9.16.0–9.16.3 are vulnerable. The root cause is an asterisk (*) in an empty non-terminal location in the DNS graph, which can trigger an assertion in rbtdb.c and cause denial of service. Exploitation would require zone...

CVE-2021-25220

CVE-2021-25220 affects ISC BIND where cache poisoning can occur when using DNS forwarders, allowing forged NS records to be cached and cause queries to reach the wrong servers or return false information. The Initial CVE data covers BIND versions from 9.11.x (including 9.11.0–9.11.36) and 9.12.x ...

CVE-2018-5741

CVE-2018-5741 concerns ISC BIND 9 and its update-policy feature for Dynamic DNS (DDNS). The issue stems from incorrect documentation of krb5-subdomain and ms-subdomain rule types in the Administrator Reference Manual, which could lead operators to believe their configured policies are more restri...

CVE-2021-25219

CVE-2021-25219 affects ISC BIND; a flaw in response processing allows abuse of the lame cache, degrading resolver performance and potentially causing DoS. Affected ranges include BIND 9.3.0–9.11.35, 9.12.0–9.16.21, 9.9.3-S1–9.11.35-S1, 9.16.8-S1–9.16.21-S1, and 9.17.0–9.17.18 (development/joint b...

CVE-2018-5740

CVE-2018-5740 is a flaw in the deny-answer-aliases feature of BIND that can cause an assertion failure in named, potentially restarting the bind process (denial of service). Affected BIND versions include 9.7.0–9.8.8, 9.9.0–9.9.13, 9.10.0–9.10.8, 9.11.0–9.11.4, 9.12.0–9.12.2, and 9.13.0–9.13.2. R...

CVE-2021-25214

CVE-2021-25214 affects BIND’s named when processing a malformed IXFR, causing named to terminate on the next refresh of the transferred zone. Concrete details across connected advisories show affected BIND ranges and the specific fixes: ALT Linux and others report updates that address CVEs 25214/...

CVE-2022-2795

CVE-2022-2795 is a DNS resolver vulnerability in BIND where flooding the resolver with specific queries can cause a denial of service by severely degrading resolver performance. The issue is associated with the BIND 9 series (notably 9.16.x, 9.18.x, and 9.19.x branches in various advisories) and ...

CVE-2020-8622

CVE-2020-8622 pertains to ISC BIND and causes an assertion failure leading to a server exit when processing a truncated TSIG-signed response. The vulnerability can be triggered by an attacker on the network path or by exploiting a server receiving a TSIG-signed request, potentially harming availa...

CVE-2022-3094

CVE-2022-3094 affects ISC BIND and allows denial of service by flooding dynamic DNS UPDATE requests. A memory allocation occurs before ACL checks, and memory retained for accepted clients can exhaust resources; memory for non-permitted clients is released on rejection. The impact is a DoS (availa...

CVE-2017-3145

CVE-2017-3145 affects BIND: the resolver incorrectly sequenced cleanup operations on upstream recursion fetch contexts, causing a use-after-free that can trigger an assertion failure and crash named. Affected versions include BIND 9.0.0 through 9.8.x, 9.9.0–9.9.11, 9.10.0–9.10.6, 9.11.0–9.11.2, 9...

CVE-2023-4408

The CVE-2023-4408 issue is a vulnerability in the DNS message parsing of BIND's named where the parsing path has an overly high computational complexity. A crafted large or malformed DNS message can cause high CPU usage on affected BIND 9 releases, potentially impacting both authoritative servers...

CVE-2023-2828

CVE-2023-2828 concerns the BIND 9 DNS server’s named component. The vulnerability stems from the cache-cleaning logic: when the resolver is queried for specific RRsets in a certain order, the configured max-cache-size can be exceeded, potentially causing memory exhaustion. Affected are multiple B...

CVE-2022-3924

CVE-2022-3924 is a vulnerability in ISC BIND where stale-answer-client-timeout (enabled with a positive value) can cause a race between returning a stale answer and an early SERVFAIL, potentially triggering an assertion failure and DoS. Affected are BIND 9.16.12–9.16.36, 9.18.0–9.18.10, 9.19.0–9....

CVE-2017-3143

The CVE-2017-3143 issue is a TSIG authentication bypass in ISC BIND that could allow an attacker who can communicate with an authoritative DNS server and knows a valid TSIG key name to manipulate BIND into accepting an unauthorized dynamic update. The vulnerability affects multiple BIND releases ...

CVE-2002-0651

CVE-2002-0651 relates to a buffer overflow in DNS resolver code used by libc, glibc, and libbind (originating from ISC BIND). Connected advisories describe that versions of ISC BIND upstream prior to 9.2.1 were vulnerable to a resolver buffer overflow which could be triggered by crafted DNS respo...

CVE-2022-3736

CVE-2022-3736 affects ISC BIND 9 resolvers. When stale-answer-cache is enabled and stale-answer-timeout is >0, receiving an RRSIG query can cause named to crash. Affected versions include 9.16.12–9.16.36, 9.18.0–9.18.10, 9.19.0–9.19.8 (and associated S1 builds). Patches exist: remediation is t...

CVE-2016-1286

CVE-2016-1286 affects ISC BIND 9.x (before 9.9.8-P4 and 9.10.x before 9.10.3-P4). A remote attacker can trigger a denial of service by sending a crafted DNS signature for a DNAME record, leading to an assertion failure in resolver.c or db.c and a named process crash. The issue is documented with ...

CVE-2016-8864

CVE-2016-8864 affects ISC BIND DNS server. A denial-of-service can be triggered by processing responses containing a DNAME answer in db.c/resolver.c during recursive queries, causing an assertion failure and named exit. Affected are BIND 9.x releases listed in the advisory (pre-9.9.9-P4, pre-9.10...

CVE-2023-6516

CVE-2023-6516 affects ISC BIND (named) as a denial-of-service vector via an out-of-memory condition in the cache-cleanup path when recursive queries trigger maintenance. The issue can allow memory usage to exceed max-cache-size, potentially causing DoS on vulnerable BIND 9 installations. Affected...

CVE-2018-5745

CVE-2018-5745 affects BIND's managed-keys feature, causing an assertion failure (and possible server exit) when a trust anchor is rolled over to an unsupported key algorithm. Affected: BIND 9 series (various 9.9.x–9.13.x branches and preview releases). Impact: potential denial of service by crash...

CVE-2014-3214

CVE-2014-3214 affects ISC BIND prefetch in the server when a recursive nameserver is enabled (ISC BIND 9.10.0). A crafted DNS response can trigger an assertion failure and daemon exit, causing a denial of service. The NVD reports base metrics: CVSS v2 base score 5.0 (Medium) with network access a...

CVE-2018-5743

CVE-2018-5743 affects BIND in multiple releases (notably 9.9.0–9.14.0, including some 9.11/9.13 branches). The flaw allows the named process to exceed its configured limit on simultaneous TCP connections, risking exhaustion of file descriptors and potentially affecting associated log/zone file ma...

CVE-2015-5986

ISC BIND vulnerability CVE-2015-5986 arises from an incorrect boundary check in openpgpkey_61.c within named, allowing remote attackers to crash the server via a crafted DNS response. Affected products/versions: BIND 9.9.7 before 9.9.7‑P3 and 9.10.x before 9.10.2‑P4. Exploitation can cause a deni...

CVE-2019-6465

CVE-2019-6465 : ACLs for zone transfers in BIND may be bypassed for dynamically loadable zones (DLZs) when zones are writable. Affected versions span BIND 9.9.0–9.13.6 across multiple development branches and general releases. The issue enables a remote user to bypass the allow-transfer ACL and o...

CVE-2022-38178

CVE-2022-38178 affects BIND 9 DNS resolver. Attackers can spoof responses with a malformed EdDSA signature to trigger a memory leak, gradually exhausting memory and potentially crashing named. Connected advisories (Brocade SANnav postings with CVE-2022-38178, and ALAS/AmazonLinux entries) confirm...

CVE-2022-38177

CVE-2022-38177 is a memory-leak vulnerability in ISC BIND's DNSSEC code (ECDSA) that can allow a remote attacker spoofing responses to exhaust memory and crash named. Affected BIND versions prior to patched releases are prone; remediation is to upgrade to patched builds (e.g., BIND 9.16.33-1 or n...

CVE-2016-2776

CVE-2016-2776 describes a denial-of-service in ISC BIND where a crafted DNS query leads to an assertion failure in buffer.c while building responses, causing named to exit. Affected products/versions include BIND 9 before 9.9.9-P3, 9.10.x before 9.10.4-P3, and 9.11.x before 9.11.0rc3. The root ca...

CVE-2015-8461

CVE-2015-8461 affects ISC BIND 9.9.8-P2 and 9.10.3-P2. A race condition in resolver.c when processing socket errors can trigger an INSIST assertion failure and cause named to exit, leading to remote denial of service. Remediation is to apply the fixed releases (9.9.8-P2 / 9.10.3-P2) or update to ...

CVE-2002-0029

CVE-2002-0029 concerns buffer overflows in the DNS stub resolver library used by ISC BIND (versions 4.9.2–4.9.10) and in derived libraries such as BSD libc and GNU glibc. The overflow occurs when processing certain DNS server responses that trigger the getnetbyname or getnetbyaddr code paths, all...

CVE-2020-8623

CVE-2020-8623 affects BIND up to various maintained branches (notably 9.10.0–9.17.x). Root cause: native PKCS#11 code can trigger an assertion failure when processing queries for RSA-signed zones if BIND is built with --enable-native-pkcs11, leading to a crash and potential availability impact. A...

CVE-2016-9131

CVE-2016-9131 concerns ISC BIND and is triggered by improper handling of responses during recursion. A remote attacker can send a malformed RTYPE ANY response to cause an assertion failure and named process exit, i.e., a denial-of-service. Public advisories confirm affected versions across multip...

CVE-2016-2775

CVE-2016-2775 is a denial-of-service in ISC BIND where, when lwresd or the lwres option is enabled, an overly long request using the lightweight resolver protocol can crash the daemon. Affected versions: BIND 9.x before 9.9.9-P2, 9.10.x before 9.10.4-P2, and 9.11.x before 9.11.0b2. Public advisor...

CVE-2023-5679

CVE-2023-5679 : A bad interaction between DNS64 and serve-stale in ISC BIND can cause named to crash with an assertion failure during recursive resolution when both features are enabled. Affected products/versions include BIND 9.16.x (notably up to 9.16.45) and 9.18.x/9.19.x series with correspon...

CVE-2015-8000

CVE-2015-8000 affects ISC BIND 9.x (before 9.9.8-P2 and 9.10.x before 9.10.3-P2). A flaw in db.c parsing incoming responses allows remote DoS via a malformed class attribute, causing an assertion failure and daemon exit. F5’s advisory notes vulnerability presence in BIG-IP family components that ...

CVE-2013-4854

CVE-2013-4854 affects ISC BIND, where the RFC 5011 RDATA handling in rdata.c can trigger an assertion failure during log message construction when processing a malformed RDATA, allowing remote DoS with named exiting. Vulnerable ranges include BIND 9.7.x and 9.8.x before 9.8.5-P2 and 9.8.6b1, 9.9....

CVE-2017-3142

CVE-2017-3142: ISC BIND could allow bypass of TSIG authentication for AXFR requests, enabling zone transfers to unauthorized recipients or acceptance of bogus NOTIFY packets when only TSIG is relied upon. Affected BIND versions include 9.4.0–9.8.8, 9.9.0–9.9.10-P1, 9.10.0–9.10.5-P1, 9.11.0–9.11.1...