cbcvebase.

Isc Bind9 vulnerabilities

128 known vulnerabilities affecting isc/bind9.

Total CVEs
128
CISA KEV
0
Public exploits
7
Exploited in wild
4
Severity breakdown
CRITICAL1HIGH73MEDIUM47LOW7

Vulnerabilities

Page 2 of 7
CVE-2013-2266P3HIGHCVSS 7.8≥ 0, < 1:9.8.4.dfsg.P1-6+nmu12013-03-28
CVE-2013-2266 [HIGH] CVE-2013-2266: libdns in ISC BIND 9 libdns in ISC BIND 9.7.x and 9.8.x before 9.8.4-P2, 9.8.5 before 9.8.5b2, 9.9.x before 9.9.2-P2, and 9.9.3 before 9.9.3b2 on UNIX platforms allows remote attackers to cause a denial of service (memory consumption) via a crafted regular expression, as demonstrated by a memory-exhaustion attack against a machine running a named process.
osv
CVE-2016-2775P3MEDIUMCVSS 5.9≥ 0, < 1:9.10.3.dfsg.P4-112016-07-19
CVE-2016-2775 [MEDIUM] CVE-2016-2775: ISC BIND 9 ISC BIND 9.x before 9.9.9-P2, 9.10.x before 9.10.4-P2, and 9.11.x before 9.11.0b2, when lwresd or the named lwres option is enabled, allows remote attackers to cause a denial of service (daemon crash) via a long request that uses the lightweight resolver protocol.
osv
CVE-2024-11187P3HIGHCVSS 7.5≥ 0, < 1:9.16.50-1~deb11u3≥ 0, < 1:9.18.33-1~deb12u2+1 more2025-01-29
CVE-2024-11187 [HIGH] CVE-2024-11187: It is possible to construct a zone such that some queries to it will generate responses containing numerous records in the Additional section It is possible to construct a zone such that some queries to it will generate responses containing numerous records in the Additional section. An attacker sending many such queries can cause either the authoritative server itself or an independent resolver to use disproportionate resources processing the queries. Zones
osv
CVE-2025-8677P3HIGHCVSS 8.6≥ 0, < 1:9.18.30-0ubuntu0.20.04.2+esm12025-11-12
CVE-2025-8677 [HIGH] bind9 vulnerabilities bind9 vulnerabilities USN-7836-1 fixed vulnerabilities in Bind. This update provides the corresponding fixes for Ubuntu 20.04 LTS. Original advisory details: Zuyao Xu and Xiang Li discovered that Bind incorrectly handled certain malformed DNSKEY records. A remote attacker could possibly use this issue to cause Bind to consume resources, resulting in a denial of service. (CVE-2025-8677) Yuxiao Wu, Yunyi Zhang, Baojun Liu, and Haixin Duan discovered t
osv
CVE-2024-12705P3HIGHCVSS 7.5≥ 0, < 1:9.18.33-1~deb12u2≥ 0, < 1:9.20.5-12025-01-29
CVE-2024-12705 [HIGH] CVE-2024-12705: Clients using DNS-over-HTTPS (DoH) can exhaust a DNS resolver's CPU and/or memory by flooding it with crafted valid or invalid HTTP/2 traffic Clients using DNS-over-HTTPS (DoH) can exhaust a DNS resolver's CPU and/or memory by flooding it with crafted valid or invalid HTTP/2 traffic. This issue affects BIND 9 versions 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, and 9.18.11-S1 through 9.18.32-S1.
osv
CVE-2020-8616P3HIGHCVSS 8.6v9.0.0 -> 9.11.18, 9.12.0 -> 9.12.4-P2, 9.14.0 -> 9.14.11, 9.16.0 -> 9.16.2, and releases 9.17.0 -> 9.17.1 of the 9.17 experimental development branch. All releases in the obsolete 9.13 and 9.15 development branches. All releases of BIND Supported Preview Edition from 9.9.3-S1 -> 9.11.18-S12020-05-19
CVE-2020-8616 [HIGH] CWE-400 CVE-2020-8616: A malicious actor who intentionally exploits this lack of effective limitation on the number of fetc A malicious actor who intentionally exploits this lack of effective limitation on the number of fetches performed when processing referrals can, through the use of specially crafted referrals, cause a recursing server to issue a very large number of fetches in an attempt to process the referral. This has at least two potential effects: The performance o
nvdosv
CVE-2015-5722P3HIGHCVSS 7.8≥ 0, < 1:9.9.5.dfsg-122015-09-05
CVE-2015-5722 [HIGH] CVE-2015-5722: buffer buffer.c in named in ISC BIND 9.x before 9.9.7-P3 and 9.10.x before 9.10.2-P4 allows remote attackers to cause a denial of service (assertion failure and daemon exit) by creating a zone containing a malformed DNSSEC key and issuing a query for a name in that zone.
osv
CVE-2022-3924P3HIGHCVSS 7.5≥ 0, < 1:9.16.37-1~deb11u1≥ 0, < 1:9.18.11-12023-01-26
CVE-2022-3924 [HIGH] CVE-2022-3924: This issue can affect BIND 9 resolvers with `stale-answer-enable yes;` that also make use of the option `stale-answer-client-timeout`, configured with This issue can affect BIND 9 resolvers with `stale-answer-enable yes;` that also make use of the option `stale-answer-client-timeout`, configured with a value greater than zero. If the resolver receives many queries that require recursion, there will be a corresponding increase in the number of clients that are
osv
CVE-2025-13878P3HIGHCVSS 7.5≥ 0, < 1:9.18.44-1~deb12u1≥ 0, < 1:9.20.18-1~deb13u1+1 more2026-01-21
CVE-2025-13878 [HIGH] CVE-2025-13878: Malformed BRID/HHIT records can cause `named` to terminate unexpectedly Malformed BRID/HHIT records can cause `named` to terminate unexpectedly. This issue affects BIND 9 versions 9.18.40 through 9.18.43, 9.20.13 through 9.20.17, 9.21.12 through 9.21.16, 9.18.40-S1 through 9.18.43-S1, and 9.20.13-S1 through 9.20.17-S1.
osv
CVE-2025-40778P3HIGHCVSS 8.6≥ 0, < 1:9.16.50-1~deb11u4≥ 0, < 1:9.18.41-1~deb12u1+2 more2025-10-22
CVE-2025-40778 [HIGH] CVE-2025-40778: Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forged data into the cache Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forged data into the cache. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 t
osv
CVE-2025-40780P3HIGHCVSS 8.6≥ 0, < 1:9.16.50-1~deb11u4≥ 0, < 1:9.18.41-1~deb12u1+2 more2025-10-22
CVE-2025-40780 [HIGH] CVE-2025-40780: In specific circumstances, due to a weakness in the Pseudo Random Number Generator (PRNG) that is used, it is possible for an attacker to predict the In specific circumstances, due to a weakness in the Pseudo Random Number Generator (PRNG) that is used, it is possible for an attacker to predict the source port and query ID that BIND will use. This issue affects BIND 9 versions 9.16.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 thr
osv
CVE-2022-3094P3HIGHCVSS 7.5≥ 0, < 1:9.16.1-0ubuntu2.12≥ 0, < 1:9.18.1-1ubuntu1.32023-01-25
CVE-2022-3094 [HIGH] bind9 vulnerabilities bind9 vulnerabilities Rob Schulhof discovered that Bind incorrectly handled a large number of UPDATE messages. A remote attacker could possibly use this issue to cause Bind to consume resources, resulting in a denial of service. (CVE-2022-3094) Borja Marcos discovered that Bind incorrectly handled certain RRSIG queries. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service. This issue only affected Ub
osv
CVE-2021-25215P3HIGHCVSS 7.5vOpen Source Branches 9.0 through 9.11 9.0.0 through versions before 9.11.30vOpen Source Branches 9.12 through 9.16 9.12.0 through versions before 9.16.14+3 more2021-04-29
CVE-2021-25215 [HIGH] CWE-617 CVE-2021-25215: In BIND 9.0.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 In BIND 9.0.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND 9.17 development branch, when a vulnerable version of named receives a query for a record triggering the flaw described above, the named process wi
nvdosv
CVE-2012-4244P3HIGHCVSS 7.8≥ 0, < 1:9.8.4.dfsg-12012-09-14
CVE-2012-4244 [HIGH] CVE-2012-4244: ISC BIND 9 ISC BIND 9.x before 9.7.6-P3, 9.8.x before 9.8.3-P3, 9.9.x before 9.9.1-P3, and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P3 allows remote attackers to cause a denial of service (assertion failure and named daemon exit) via a query for a long resource record.
osv
CVE-2025-40775P3HIGHCVSS 7.5≥ 0, < 1:9.20.9-12025-05-21
CVE-2025-40775 [HIGH] CVE-2025-40775: When an incoming DNS protocol message includes a Transaction Signature (TSIG), BIND always checks it When an incoming DNS protocol message includes a Transaction Signature (TSIG), BIND always checks it. If the TSIG contains an invalid value in the algorithm field, BIND immediately aborts with an assertion failure. This issue affects BIND 9 versions 9.20.0 through 9.20.8 and 9.21.0 through 9.21.7.
osv
CVE-2018-5738P3HIGHCVSS 7.5≥ 0, < 1:9.11.3+dfsg-22019-01-16
CVE-2018-5738 [HIGH] CVE-2018-5738: Change #4777 (introduced in October 2017) introduced an unforeseen issue in releases which were issued after that date, affecting which clients are pe Change #4777 (introduced in October 2017) introduced an unforeseen issue in releases which were issued after that date, affecting which clients are permitted to make recursive queries to a BIND nameserver. The intended (and documented) behavior is that if an operator has not specified a value for the "allow-recu
osv
CVE-2012-5166P3HIGHCVSS 7.8≥ 0, < 1:9.8.1.dfsg.P1-4.32012-10-10
CVE-2012-5166 [HIGH] CVE-2012-5166: ISC BIND 9 ISC BIND 9.x before 9.7.6-P4, 9.8.x before 9.8.3-P4, 9.9.x before 9.9.1-P4, and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P4 allows remote attackers to cause a denial of service (named daemon hang) via unspecified combinations of resource records.
osv
CVE-2012-3817P3HIGHCVSS 7.8≥ 0, < 1:9.8.1.dfsg.P1-4.22012-07-25
CVE-2012-3817 [HIGH] CVE-2012-3817: ISC BIND 9 ISC BIND 9.4.x, 9.5.x, 9.6.x, and 9.7.x before 9.7.6-P2; 9.8.x before 9.8.3-P2; 9.9.x before 9.9.1-P2; and 9.6-ESV before 9.6-ESV-R7-P2, when DNSSEC validation is enabled, does not properly initialize the failing-query cache, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) by sending many queries.
osv
CVE-2012-1667P3HIGHCVSS 8.5≥ 0, < 1:9.8.1.dfsg.P1-4.12012-06-05
CVE-2012-1667 [HIGH] CVE-2012-1667: ISC BIND 9 ISC BIND 9.x before 9.7.6-P1, 9.8.x before 9.8.3-P1, 9.9.x before 9.9.1-P1, and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P1 does not properly handle resource records with a zero-length RDATA section, which allows remote DNS servers to cause a denial of service (daemon crash or data corruption) or obtain sensitive information from process memory via a crafted record.
osv
CVE-2016-2848P3HIGHCVSS 7.5≥ 0, < 1:9.9.3.dfsg.P2-12016-10-21
CVE-2016-2848 [HIGH] CVE-2016-2848: ISC BIND 9 ISC BIND 9.1.0 through 9.8.4-P2 and 9.9.0 through 9.9.2-P2 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via malformed options data in an OPT resource record.
osv
Isc Bind9 vulnerabilities | cvebase