Isc Bind9 vulnerabilities
128 known vulnerabilities affecting isc/bind9.
Total CVEs
128
CISA KEV
0
Public exploits
7
Exploited in wild
4
Severity breakdown
CRITICAL1HIGH73MEDIUM47LOW7
Vulnerabilities
Page 4 of 7
CVE-2023-4408P3HIGHCVSS 7.5≥ 0, < 1:9.16.48-1≥ 0, < 1:9.18.24-1+1 more2024-02-13
CVE-2023-4408 [HIGH] CVE-2023-4408: The DNS message parsing code in `named` includes a section whose computational complexity is overly high
The DNS message parsing code in `named` includes a section whose computational complexity is overly high. It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative servers and recursive resolvers. This issu
osv
CVE-2023-5517P3HIGHCVSS 7.5≥ 0, < 1:9.16.48-1≥ 0, < 1:9.18.24-1+1 more2024-02-13
CVE-2023-5517 [HIGH] CVE-2023-5517: A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: - `nxdomain-redirect ;` is configured, and - the r
A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: - `nxdomain-redirect ;` is configured, and - the resolver receives a PTR query for an RFC 1918 address that would normally result in an authoritative NXDOMAIN response. This issue affects BIND 9 versions 9.12.0 th
osv
CVE-2025-40777P3HIGHCVSS 7.5≥ 0, < 1:9.20.11-12025-07-16
CVE-2025-40777 [HIGH] CVE-2025-40777: If a `named` caching resolver is configured with `serve-stale-enable` `yes`, and with `stale-answer-client-timeout` set to `0` (the only allowable val
If a `named` caching resolver is configured with `serve-stale-enable` `yes`, and with `stale-answer-client-timeout` set to `0` (the only allowable value other than `disabled`), and if the resolver, in the process of resolving a query, encounters a CNAME chain involving a specific combination of cached or autho
osv
CVE-2020-8620P3HIGHCVSS 7.5≥ 9.15.6, < *2020-08-21
CVE-2020-8620 [HIGH] CWE-617 CVE-2020-8620: In BIND 9.15.6 -> 9.16.5, 9.17.0 -> 9.17.3, An attacker who can establish a TCP connection with the
In BIND 9.15.6 -> 9.16.5, 9.17.0 -> 9.17.3, An attacker who can establish a TCP connection with the server and send data on that connection can exploit this to trigger the assertion failure, causing the server to exit.
nvdosv
CVE-2021-25218P3HIGHCVSS 7.5vStable Branch 9.16.19vDevelopment Branch 9.17.16+1 more2021-08-18
CVE-2021-25218 [HIGH] CWE-617 CVE-2021-25218: In BIND 9.16.19, 9.17.16. Also, version 9.16.19-S1 of BIND Supported Preview Edition When a vulnerab
In BIND 9.16.19, 9.17.16. Also, version 9.16.19-S1 of BIND Supported Preview Edition When a vulnerable version of named receives a query under the circumstances described above, the named process will terminate due to a failed assertion check. The vulnerability affects only BIND 9 releases 9.16.19, 9.17.16, and release 9.16.19-S1 of the BIND Supported
nvd
CVE-2017-3135P3MEDIUMCVSS 5.9≥ 0, < 1:9.10.3.dfsg.P4-122019-01-16
CVE-2017-3135 [MEDIUM] CVE-2017-3135: Under some conditions when using both DNS64 and RPZ to rewrite query responses, query processing can resume in an inconsistent state leading to either
Under some conditions when using both DNS64 and RPZ to rewrite query responses, query processing can resume in an inconsistent state leading to either an INSIST assertion failure or an attempt to read through a NULL pointer. Affects BIND 9.8.8, 9.9.3-S1 -> 9.9.9-S7, 9.9.3 -> 9.9.9-P5, 9.9.10b1, 9.10.0 -> 9.10.
osv
CVE-2022-1183P3HIGHCVSS 7.5vOpen Source Branch 9.18 9.18.0 through versions before 9.18.3vDevelopment Branch 9.19 9.19.02022-05-19
CVE-2022-1183 [HIGH] CWE-617 CVE-2022-1183: On vulnerable configurations, the named daemon may, in some circumstances, terminate with an asserti
On vulnerable configurations, the named daemon may, in some circumstances, terminate with an assertion failure. Vulnerable configurations are those that include a reference to http within the listen-on statements in their named.conf. TLS is used by both DNS over TLS (DoT) and DNS over HTTPS (DoH), but configurations using DoT alone are unaffected. Affec
nvdosv
CVE-2020-8621P3HIGHCVSS 7.5≥ 9.14.0, < *2020-08-21
CVE-2020-8621 [HIGH] CWE-617 CVE-2020-8621: In BIND 9.14.0 -> 9.16.5, 9.17.0 -> 9.17.3, If a server is configured with both QNAME minimization a
In BIND 9.14.0 -> 9.16.5, 9.17.0 -> 9.17.3, If a server is configured with both QNAME minimization and 'forward first' then an attacker who can send queries to it may be able to trigger the condition that will cause the server to crash. Servers that 'forward only' are not affected.
nvdosv
CVE-2023-5679P3HIGHCVSS 7.5≥ 0, < 1:9.16.48-1≥ 0, < 1:9.18.24-1+1 more2024-02-13
CVE-2023-5679 [HIGH] CVE-2023-5679: A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure during recursive resolution, when both of these f
A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure during recursive resolution, when both of these features are enabled. This issue affects BIND 9 versions 9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1, and
osv
CVE-2019-6477P3HIGHCVSS 7.5v9.11.6-P1 -> 9.11.12, 9.12.4-P1 -> 9.12.4-P2, 9.14.1 -> 9.14.7, and versions 9.11.5-S6 -> 9.11.12-S1 of BIND 9 Supported Preview Edition. Versions 9.15.0 -> 9.15.5 of the BIND 9.15 development branch are also affected2019-11-26
CVE-2019-6477 [HIGH] CWE-400 CVE-2019-6477: With pipelining enabled each incoming query on a TCP connection requires a similar resource allocati
With pipelining enabled each incoming query on a TCP connection requires a similar resource allocation to a query received via UDP or via TCP without pipelining enabled. A client using a TCP-pipelined connection to a server could consume more resources than the server has been provisioned to handle. When a TCP connection with a large number of pipelined
nvdosv
CVE-2020-8622P3MEDIUMCVSS 6.5≥ 9.0.0, < unspecified≥ unspecified, < 9.11.22+5 more2020-08-21
CVE-2020-8622 [MEDIUM] CWE-617 CVE-2020-8622: In BIND 9.0.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.3-S1 -> 9.11.21-S1 of
In BIND 9.0.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker on the network path for a TSIG-signed request, or operating the server receiving the TSIG-signed request, could send a truncated response to that request, triggering an assertion failure, causing the se
nvdosv
CVE-2023-6516P3HIGHCVSS 7.5≥ 0, < 1:9.16.48-1≥ 0, < 1:9.17.19-12024-02-13
CVE-2023-6516 [HIGH] CVE-2023-6516: To keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to clean up the database
To keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to clean up the database. It uses several methods, including some that are asynchronous: a small chunk of memory pointing to the cache element that can be cleaned up is first allocated and then queued for later processing. It was discovere
osv
CVE-2026-3119P3MEDIUMCVSS 6.5≥ 0, < 1:9.20.21-1~deb13u1≥ 0, < 1:9.20.21-12026-03-25
CVE-2026-3119 [MEDIUM] CVE-2026-3119: Under certain conditions, `named` may crash when processing a correctly signed query containing a TKEY record
Under certain conditions, `named` may crash when processing a correctly signed query containing a TKEY record. The affected code can only be reached if an incoming request has a valid transaction signature (TSIG) from a key declared in the `named` configuration. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.
osv
CVE-2021-25214P3MEDIUMCVSS 6.5vOpen Source Branch 9.8 9.8.5 through 9.8.8vOpen Source Branches 9.9 through 9.11 9.9.3 through versions before 9.11.30+4 more2021-04-29
CVE-2021-25214 [MEDIUM] CWE-617 CVE-2021-25214: In BIND 9.8.5 -> 9.8.8, 9.9.3 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S
In BIND 9.8.5 -> 9.8.8, 9.9.3 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND 9 Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND 9.17 development branch, when a vulnerable version of named receives a malformed IXFR triggering the flaw described above, the
nvdosv
CVE-2019-6468P3HIGHCVSS 7.5≥ 0, < 1:9.9.5.dfsg-3ubuntu0.19≥ 0, < 1:9.10.3.dfsg.P4-8ubuntu1.12+1 more2019-04-24
CVE-2019-6468 [HIGH] CVE-2019-6468: In BIND Supported Preview Edition, an error in the nxdomain-redirect feature can occur in versions which support EDNS Client Subnet (ECS) features
In BIND Supported Preview Edition, an error in the nxdomain-redirect feature can occur in versions which support EDNS Client Subnet (ECS) features. In those versions which have ECS support, enabling nxdomain-redirect is likely to lead to BIND exiting due to assertion failure. Versions affected: BIND Supported Previe
osv
CVE-2022-2906P3HIGHCVSS 7.5vOpen Source Branch 9.18 9.18.0 through versions before 9.18.7vDevelopment Branch 9.19 9.19.0 through versions before 9.19.52022-09-21
CVE-2022-2906 [HIGH] CWE-401 CVE-2022-2906: An attacker can leverage this flaw to gradually erode available memory to the point where named cras
An attacker can leverage this flaw to gradually erode available memory to the point where named crashes for lack of resources. Upon restart the attacker would have to begin again, but nevertheless there is the potential to deny service.
nvdosv
CVE-2022-3080P3HIGHCVSS 7.5vOpen Source Branch 9.16 9.16.14 through versions before 9.16.33vOpen Source Branch 9.18 9.18.0 through versions before 9.18.7+2 more2022-09-21
CVE-2022-3080 [HIGH] CWE-613 CVE-2022-3080: By sending specific queries to the resolver, an attacker can cause named to crash.
By sending specific queries to the resolver, an attacker can cause named to crash.
nvdosv
CVE-2017-3136P3MEDIUMCVSS 5.9≥ 0, < 1:9.10.3.dfsg.P4-12.32019-01-16
CVE-2017-3136 [MEDIUM] CVE-2017-3136: A query with a specific set of characteristics could cause a server using DNS64 to encounter an assertion failure and terminate
A query with a specific set of characteristics could cause a server using DNS64 to encounter an assertion failure and terminate. An attacker could deliberately construct a query, enabling denial-of-service against a server if it was configured to use the DNS64 feature and other preconditions were met. Affects BIND 9.8.0 -> 9.8.8-P1,
osv
CVE-2010-0382P3LOWCVSS 2.6≥ 0, < 1:9.7.0.dfsg-12010-01-22
CVE-2010-0382 [LOW] CVE-2010-0382: ISC BIND 9
ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before 9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta handles out-of-bailiwick data accompanying a secure response without re-fetching from the original source, which allows remote attackers to have an unspecified impact via a crafted response, aka Bug 20819. NOTE: this vulnerability exists because of a regression during the fix for CVE-2009-4022.
osv
CVE-2018-5741P3MEDIUMCVSS 6.5≥ 0, < 1:9.11.5+dfsg-12019-01-16
CVE-2018-5741 [MEDIUM] CVE-2018-5741: To provide fine-grained controls over the ability to use Dynamic DNS (DDNS) to update records in a zone, BIND 9 provides a feature called update-polic
To provide fine-grained controls over the ability to use Dynamic DNS (DDNS) to update records in a zone, BIND 9 provides a feature called update-policy. Various rules can be configured to limit the types of updates that can be performed by a client, depending on the key used when sending the update request. Un
osv