Isc Bind 9 vulnerabilities

CVE-2026-3104 [HIGH] CWE-772 CVE-2026-3104: A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.

CVE-2026-1519 [HIGH] CWE-606 CVE-2026-1519: If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the re If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-qu

CVE-2026-3591 [MEDIUM] CWE-305 CVE-2026-3591: A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly (mis)match an IP address. In a default-allow ACL (denying only specific IP addresses), this may lead to unauthorized access. Default-deny ACLs should fai

CVE-2026-3119 [MEDIUM] CWE-617 CVE-2026-3119: Under certain conditions, `named` may crash when processing a correctly signed query containing a TK Under certain conditions, `named` may crash when processing a correctly signed query containing a TKEY record. The affected code can only be reached if an incoming request has a valid transaction signature (TSIG) from a key declared in the `named` configuration. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.2

CVE-2025-13878 [HIGH] CWE-617 CVE-2025-13878: Malformed BRID/HHIT records can cause `named` to terminate unexpectedly. This issue affects BIND 9 v Malformed BRID/HHIT records can cause `named` to terminate unexpectedly. This issue affects BIND 9 versions 9.18.40 through 9.18.43, 9.20.13 through 9.20.17, 9.21.12 through 9.21.16, 9.18.40-S1 through 9.18.43-S1, and 9.20.13-S1 through 9.20.17-S1.

CVE-2025-40778 [HIGH] CWE-349 CVE-2025-40778: Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an at Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forged data into the cache. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 th

CVE-2025-8677 [HIGH] CWE-405 CVE-2025-8677: Querying for records within a specially crafted zone containing certain malformed DNSKEY records can Querying for records within a specially crafted zone containing certain malformed DNSKEY records can lead to CPU exhaustion. This issue affects BIND 9 versions 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.

CVE-2025-40780 [HIGH] CWE-341 CVE-2025-40780: In specific circumstances, due to a weakness in the Pseudo Random Number Generator (PRNG) that is us In specific circumstances, due to a weakness in the Pseudo Random Number Generator (PRNG) that is used, it is possible for an attacker to predict the source port and query ID that BIND will use. This issue affects BIND 9 versions 9.16.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.16.8-S1 through 9.16.50-S

CVE-2025-40776 [HIGH] CWE-349 CVE-2025-40776: A `named` caching resolver that is configured to send ECS (EDNS Client Subnet) options may be vulner A `named` caching resolver that is configured to send ECS (EDNS Client Subnet) options may be vulnerable to a cache-poisoning attack. This issue affects BIND 9 versions 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.37-S1, and 9.20.9-S1 through 9.20.10-S1.

CVE-2025-40777 [HIGH] CWE-617 CVE-2025-40777: If a `named` caching resolver is configured with `serve-stale-enable` `yes`, and with `stale-answer- If a `named` caching resolver is configured with `serve-stale-enable` `yes`, and with `stale-answer-client-timeout` set to `0` (the only allowable value other than `disabled`), and if the resolver, in the process of resolving a query, encounters a CNAME chain involving a specific combination of cached or authoritative records, the daemon will abort wi

CVE-2025-40775 [HIGH] CWE-232 CVE-2025-40775: When an incoming DNS protocol message includes a Transaction Signature (TSIG), BIND always checks it When an incoming DNS protocol message includes a Transaction Signature (TSIG), BIND always checks it. If the TSIG contains an invalid value in the algorithm field, BIND immediately aborts with an assertion failure. This issue affects BIND 9 versions 9.20.0 through 9.20.8 and 9.21.0 through 9.21.7.

CVE-2024-12705 [HIGH] CWE-770 CVE-2024-12705: Clients using DNS-over-HTTPS (DoH) can exhaust a DNS resolver's CPU and/or memory by flooding it wit Clients using DNS-over-HTTPS (DoH) can exhaust a DNS resolver's CPU and/or memory by flooding it with crafted valid or invalid HTTP/2 traffic. This issue affects BIND 9 versions 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, and 9.18.11-S1 through 9.18.32-S1.

CVE-2024-11187 [HIGH] CWE-405 CVE-2024-11187: It is possible to construct a zone such that some queries to it will generate responses containing n It is possible to construct a zone such that some queries to it will generate responses containing numerous records in the Additional section. An attacker sending many such queries can cause either the authoritative server itself or an independent resolver to use disproportionate resources processing the queries. Zones will usually need to have been d

CVE-2024-1737 [HIGH] CWE-770 CVE-2024-1737: Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same h Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any RTYPE) can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.2

CVE-2024-0760 [HIGH] CWE-770 CVE-2024-0760: A malicious client can send many DNS messages over TCP, potentially causing the server to become uns A malicious client can send many DNS messages over TCP, potentially causing the server to become unstable while the attack is in progress. The server may recover after the attack ceases. Use of ACLs will not mitigate the attack. This issue affects BIND 9 versions 9.18.1 through 9.18.27, 9.19.0 through 9.19.24, and 9.18.11-S1 through 9.18.27-S1.

CVE-2024-4076 [HIGH] CWE-617 CVE-2024-4076: Client queries that trigger serving stale data and that also require lookups in local authoritative Client queries that trigger serving stale data and that also require lookups in local authoritative zone data may result in an assertion failure. This issue affects BIND 9 versions 9.16.13 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.33-S1 through 9.11.37-S1, 9.16.13-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1.

CVE-2024-1975 [HIGH] CWE-770 CVE-2024-1975: If a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" If a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed domain in cache, a client can exhaust resolver CPU resources by sending a stream of SIG(0) signed requests. This issue affects BIND 9 versions 9.0.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.

CVE-2023-4408 [HIGH] CWE-407 CVE-2023-4408: The DNS message parsing code in `named` includes a section whose computational complexity is overly The DNS message parsing code in `named` includes a section whose computational complexity is overly high. It does not cause problems for typical DNS traffic, but crafted queries and responses may cause excessive CPU load on the affected `named` instance by exploiting this flaw. This issue affects both authoritative servers and recursive resolvers. This i

CVE-2023-6516 [HIGH] CWE-770 CVE-2023-6516: To keep its cache database efficient, `named` running as a recursive resolver occasionally attempts To keep its cache database efficient, `named` running as a recursive resolver occasionally attempts to clean up the database. It uses several methods, including some that are asynchronous: a small chunk of memory pointing to the cache element that can be cleaned up is first allocated and then queued for later processing. It was discovered that if the res

CVE-2023-5679 [HIGH] CWE-617 CVE-2023-5679: A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure A bad interaction between DNS64 and serve-stale may cause `named` to crash with an assertion failure during recursive resolution, when both of these features are enabled. This issue affects BIND 9 versions 9.16.12 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.12-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.