cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score
CVE-2024-12705,https://securityvulnerability.io/vulnerability/CVE-2024-12705,Denial of Service Vulnerability in BIND 9 by ISC,"A vulnerability exists in BIND 9 that allows clients utilizing DNS-over-HTTPS (DoH) to overload a DNS resolver's CPU and memory. Attackers can exploit this by sending a flood of crafted HTTP/2 traffic, whether valid or invalid, which can result in a significant degradation of service performance. This issue affects multiple versions of BIND 9, necessitating prompt attention from users to mitigate potential risks.",Isc,Bind 9,7.5,HIGH,0.0004299999854993075,false,,false,false,true,2025-01-29T21:40:27.839Z,false,false,false,,2025-01-29T21:40:27.839Z,130
CVE-2024-11187,https://securityvulnerability.io/vulnerability/CVE-2024-11187,Resource Exhaustion Vulnerability in BIND 9 by ISC,"A resource exhaustion vulnerability exists in BIND 9 that can be exploited through specially crafted DNS zones. Attackers can generate numerous query responses that overwhelm both authoritative servers and resolvers, leading to high resource consumption. This can disrupt DNS services and degrade server performance. System administrators are advised to review their DNS configurations and apply necessary mitigations to safeguard their systems from potential exploitation caused by this vulnerability.",Isc,Bind 9,7.5,HIGH,0.0004299999854993075,false,,true,false,true,2025-01-29T21:40:11.942Z,false,false,false,,2025-01-29T21:40:11.942Z,451
CVE-2024-4076,https://securityvulnerability.io/vulnerability/CVE-2024-4076,Stale Data and Assertion Failures in BIND 9 Versions,"This vulnerability in BIND 9 arises from a failure in handling client queries that can trigger the serving of stale data. In scenarios where local authoritative zone data is required for lookups, the issue may lead to an assertion failure. This poses a significant concern for users relying on BIND 9 for DNS services. Versions of BIND 9 affected include a range from 9.11.x to 9.19.x, necessitating immediate attention to prevent potential disruptions in service.",Isc,Bind 9,7.5,HIGH,0.00044999999227002263,false,,true,false,true,2025-02-13T18:19:10.000Z,,false,false,,2024-07-23T14:40:57.256Z,0
CVE-2024-1975,https://securityvulnerability.io/vulnerability/CVE-2024-1975,Excessive CPU Usage for DNSSEC-Validated 'KEY' Resource Records in BIND 9,"A resource exhaustion vulnerability exists in BIND 9 software that can be exploited when a server hosts a zone containing a 'KEY' Resource Record, or when a resolver DNSSEC-validates a 'KEY' Resource Record from a DNSSEC-signed domain cached. Attackers can overwhelm resolver CPU resources with a continuous stream of SIG(0) signed requests, potentially leading to a denial of service condition. This affects multiple versions of BIND 9, including those from the 9.0.0 series to the latest releases.",Isc,Bind 9,7.5,HIGH,0.00044999999227002263,false,,false,false,true,2025-02-13T18:17:40.000Z,,false,false,,2024-07-23T14:38:57.143Z,0
CVE-2024-1737,https://securityvulnerability.io/vulnerability/CVE-2024-1737,Degraded Performance in BIND Due to Large DNS Caches,"This vulnerability affects the BIND DNS server, specifically targeting its resolver caches and authoritative zone databases. When these components hold a substantial number of Resource Records (RRs) for a single hostname, they may experience degraded performance. This can occur both during updates or additions of content and when handling client queries. The affected versions of BIND are known to struggle with such scenarios, potentially affecting the overall efficiency of DNS resolution and impacting service availability.",Isc,Bind 9,7.5,HIGH,0.00044999999227002263,false,,true,false,true,2025-02-13T18:17:39.000Z,,false,false,,2024-07-23T14:34:09.750Z,0
CVE-2024-0760,https://securityvulnerability.io/vulnerability/CVE-2024-0760,DNS Server Unstable During Malicious DNS Message Flood,"The vulnerability CVE-2024-0760 affects the DNS server and can cause it to become unstable during a flood of malicious DNS messages over TCP. It impacts BIND 9 versions 9.18.1 through 9.18.27, 9.19.0 through 9.19.24, and 9.18.11-S1 through 9.18.27-S1. This vulnerability could lead to a denial of service and has been exploited in the wild. Ubuntu has released updated packages to fix the issue, and it is recommended for affected systems to update promptly.",Isc,Bind 9,7.5,HIGH,0.00044999999227002263,false,,true,false,true,2025-02-13T18:17:33.000Z,,false,false,,2024-07-23T14:26:54.983Z,0
CVE-2023-6516,https://securityvulnerability.io/vulnerability/CVE-2023-6516,Named Resolver May Experience Infinite Loop of Cache Maintenance,"The issue arises in BIND 9's cache database management, where asynchronous cleanup processes may become overwhelmed by ongoing repetitive query patterns. This can result in an exponential growth of queued cleanup events, eventually exceeding the predefined maximum cache size limit. This vulnerability impacts the ability of the resolver to efficiently manage memory and maintain optimal performance over time, leading to potential service disruptions in environments relying on BIND 9 for DNS resolution.",Isc,Bind 9,7.5,HIGH,0.0006399999838322401,false,,false,false,true,2024-06-28T17:15:04.000Z,,false,false,,2024-02-13T14:05:28.933Z,0
CVE-2023-5680,https://securityvulnerability.io/vulnerability/CVE-2023-5680,Large ECS Record Cache Impairs Query Performance,"If a resolver cache has a very large number of ECS records stored for the same name, the process of cleaning the cache database node for this name can significantly impair query performance. 
This issue affects BIND 9 versions 9.11.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.",Isc,Bind 9,5.3,MEDIUM,0.0004299999854993075,false,,false,false,true,2025-02-13T18:17:17.000Z,,false,false,,2024-02-13T14:05:19.783Z,0
CVE-2023-5679,https://securityvulnerability.io/vulnerability/CVE-2023-5679,BIND named Crashes with DNS64 and Serve-Stale Interaction,"The vulnerability arises from a problematic interaction between the DNS64 and serve-stale features in BIND 9. When both features are enabled during recursive DNS resolution, the `named` process may experience a crash due to an assertion failure. This could potentially lead to disrupted DNS service for affected users. The issue affects several versions of BIND 9 from 9.16.12 to 9.16.45, as well as a range of subversions specific to different configurations. Users are encouraged to review their BIND versions and apply necessary mitigations or updates.",Isc,Bind 9,7.5,HIGH,0.00044999999227002263,false,,false,false,true,2025-02-13T18:17:17.000Z,,false,false,,2024-02-13T14:05:06.688Z,0
CVE-2023-5517,https://securityvulnerability.io/vulnerability/CVE-2023-5517,Premature Exit and Assertion Failure in BIND 9 Due to Query-Handling Code Flaw,"A vulnerability exists in the query-handling code of BIND 9 DNS servers, leading to a potential premature exit due to an assertion failure. This occurs when the server is configured with `nxdomain-redirect <domain>;`, in conjunction with receiving a PTR query for an RFC 1918 address, typically resulting in an authoritative NXDOMAIN response. The flaw affects several versions of BIND 9, indicating a risk that could impact DNS resolution across various network environments, necessitating timely updates and mitigations by system administrators.",Isc,Bind 9,7.5,HIGH,0.00044999999227002263,false,,false,false,true,2024-08-22T14:15:05.000Z,,false,false,,2024-02-13T14:04:54.389Z,0
CVE-2023-4408,https://securityvulnerability.io/vulnerability/CVE-2023-4408,High CPU Load in DNS Message Parsing Code Affects BIND 9 Versions,"The DNS message parsing code in the BIND 9 implementation has a section with overly high computational complexity, which is not problematic under standard DNS traffic but can result in excessive CPU load. This vulnerability can be exploited through specially crafted DNS queries and responses, affecting both authoritative servers and recursive resolvers. Users of BIND 9 who run versions from 9.0.0 to 9.16.45, 9.18.0 to 9.18.21, 9.19.0 to 9.19.19, and various S1 versions, should take precautions to mitigate potential impact.",Isc,Bind 9,7.5,HIGH,0.00044999999227002263,false,,false,false,true,2025-02-13T18:16:41.000Z,,false,false,,2024-02-13T14:04:17.519Z,0
CVE-2023-3341,https://securityvulnerability.io/vulnerability/CVE-2023-3341,A stack exhaustion flaw in control channel code may cause named to terminate unexpectedly,"A vulnerability in BIND 9 allows attackers to exploit the recursive nature of packet parsing during control channel message processing. This vulnerability can lead to unexpected termination of the `named` service due to insufficient stack memory. An attacker does not need to possess a valid RNDC key but only requires network access to the control channel's configured TCP port, making it critical for administrators to apply immediate patches to affected versions.",Isc,Bind 9,7.5,HIGH,0.0005200000014156103,false,,false,false,true,2025-02-13T17:16:40.000Z,,false,false,,2023-09-20T13:15:00.000Z,0
CVE-2023-4236,https://securityvulnerability.io/vulnerability/CVE-2023-4236,named may terminate unexpectedly under high DNS-over-TLS query load,"A networking flaw in BIND 9's handling of DNS-over-TLS queries may result in unexpected terminations of the 'named' service. This occurs due to an assertion failure triggered when internal data structures are reused improperly under significant load from DNS-over-TLS queries. Systems running BIND versions between 9.18.0 and 9.18.18, and 9.18.11-S1 to 9.18.18-S1 are affected, potentially leading to service disruptions.",Isc,Bind 9,7.5,HIGH,0.0004799999878741801,false,,false,false,true,2025-02-13T18:16:27.000Z,,false,false,,2023-09-20T13:15:00.000Z,0
CVE-2023-2911,https://securityvulnerability.io/vulnerability/CVE-2023-2911,Exceeding the recursive-clients quota may cause named to terminate unexpectedly when stale-answer-client-timeout is set to 0,"A critical issue has been identified in BIND 9 resolvers, where if the 'recursive-clients' quota is met alongside configurations that enable stale answers, a series of related queries can lead to an unexpected loop and crash of the 'named' service due to stack overflow. This affects multiple versions of BIND 9, necessitating immediate attention from system administrators to mitigate potential disruptions.",Isc,Bind 9,7.5,HIGH,0.0009800000116229057,false,,false,false,true,2024-12-06T19:15:03.000Z,,false,false,,2023-06-21T17:15:00.000Z,0
CVE-2023-2829,https://securityvulnerability.io/vulnerability/CVE-2023-2829,Malformed NSEC records can cause named to terminate unexpectedly when synth-from-dnssec is enabled,"A vulnerability exists in the BIND 9 DNSSEC-validating recursive resolver configured with the Aggressive Use of DNSSEC-Validated Cache option. This vulnerability allows an attacker to remotely terminate the service through the exploitation of a zone containing a malformed NSEC record. This poses a risk for DNS resolution integrity and availability, affecting systems that rely on configured BIND 9 instances for DNS queries.",Isc,Bind 9,7.5,HIGH,0.0004400000034365803,false,,false,false,true,2024-12-06T19:15:03.000Z,,false,false,,2023-06-21T17:15:00.000Z,0
CVE-2023-2828,https://securityvulnerability.io/vulnerability/CVE-2023-2828,named's configured cache size limit can be significantly exceeded,"A vulnerability has been identified in BIND 9 recursive resolvers, where the cache-cleaning algorithm can be manipulated through specific query patterns. This manipulation allows the cache size to exceed the configured limits, impacting overall memory management. This flaw affects multiple versions of BIND 9, making it essential for administrators to review their configurations and apply necessary updates to mitigate potential risks.",Isc,Bind 9,7.5,HIGH,0.0005200000014156103,false,,false,false,true,2024-12-06T19:15:03.000Z,,false,false,,2023-06-21T17:15:00.000Z,0
CVE-2022-3736,https://securityvulnerability.io/vulnerability/CVE-2022-3736,named configured to answer from stale cache may terminate unexpectedly while processing RRSIG queries,"A flaw in the BIND 9 resolver can lead to a denial of service, causing the resolver to crash. This occurs when stale cache and stale answer handling are enabled, and the option 'stale-answer-client-timeout' is configured with a positive integer. If the resolver encounters an RRSIG query under these conditions, it may fail, interrupting DNS resolution services. This issue impacts multiple BIND 9 versions. Users are advised to review their configurations and consider updates to prevent potential disruptions.",Isc,Bind 9,7.5,HIGH,0.0009299999801442027,false,,false,false,true,2024-08-03T02:16:03.000Z,,false,false,,2023-01-26T21:15:00.000Z,0
CVE-2022-3488,https://securityvulnerability.io/vulnerability/CVE-2022-3488,named may terminate unexpectedly when processing ECS options in repeated responses to iterative queries,"A vulnerability exists in BIND DNS Server that can cause the service to terminate unexpectedly due to improper handling of repeated responses with ECS pseudo-options. Specifically, if the initial response is malformed, the resolver may abort with an assertion failure rather than processing the query correctly. This impacts BIND versions 9.11.4-S1 through 9.11.37-S1 and 9.16.8-S1 through 9.16.36-S1, potentially leading to significant service disruptions.",Isc,Bind 9,7.5,HIGH,0.0013200000394135714,false,,false,false,true,2024-08-03T02:15:57.000Z,,false,false,,2023-01-26T21:15:00.000Z,0
CVE-2022-3094,https://securityvulnerability.io/vulnerability/CVE-2022-3094,An UPDATE message flood may cause named to exhaust all available memory,"A vulnerability exists in BIND that allows for memory resource exhaustion through a flood of dynamic DNS updates. When access permissions are checked after memory allocation, trusted clients can potentially overwhelm the system, causing 'named' to exit due to insufficient memory. While memory is released for rejected updates almost instantly, the risk emerges when invalid updates are sent at scale. This issue impacts BIND versions 9.16.0 to 9.16.36, 9.18.0 to 9.18.10, 9.19.0 to 9.19.8, and 9.16.8-S1 to 9.16.36-S1.",Isc,Bind 9,7.5,HIGH,0.0009299999801442027,false,,false,false,true,2024-08-03T02:15:46.000Z,,false,false,,2023-01-26T21:15:00.000Z,0
CVE-2022-3924,https://securityvulnerability.io/vulnerability/CVE-2022-3924,named configured to answer from stale cache may terminate unexpectedly at recursive-clients soft quota,"The vulnerability in BIND 9 resolvers occurs due to improper handling of client queries when the 'stale-answer-enable' option is activated along with a positive 'stale-answer-client-timeout' setting. When the resolver experiences a high volume of recursive queries, it may need to terminate the longest waiting client in order to serve a new request. This scenario risks a race condition between sending a stale answer and issuing a 'SERVFAIL' response, potentially leading to an assertion failure that disrupts normal operations. Systems running vulnerable versions of BIND 9 should be assessed and updated to mitigate this risk.",Isc,Bind 9,7.5,HIGH,0.0009299999801442027,false,,false,false,true,2024-08-03T02:16:08.000Z,,false,false,,2023-01-25T21:39:49.110Z,0
CVE-2019-6476,https://securityvulnerability.io/vulnerability/CVE-2019-6476,An error in QNAME minimization code can cause BIND to exit with an assertion failure,"A defect in code added to support QNAME minimization can cause named to exit with an assertion failure if a forwarder returns a referral rather than resolving the query. This affects BIND versions 9.14.0 up to 9.14.6, and 9.15.0 up to 9.15.4.",Isc,Bind 9,5.9,MEDIUM,0.0032099999953061342,false,,false,false,false,,,false,false,,2019-10-16T00:00:00.000Z,0
CVE-2019-6475,https://securityvulnerability.io/vulnerability/CVE-2019-6475,A flaw in mirror zone validity checking can allow zone data to be spoofed,"Mirror zones are a BIND feature allowing recursive servers to pre-cache zone data provided by other servers. A mirror zone is similar to a zone of type secondary, except that its data is subject to DNSSEC validation before being used in answers, as if it had been looked up via traditional recursion, and when mirror zone data cannot be validated, BIND falls back to using traditional recursion instead of the mirror zone. However, an error in the validity checks for the incoming zone data can allow an on-path attacker to replace zone data that was validated with a configured trust anchor with forged data of the attacker's choosing. The mirror zone feature is most often used to serve a local copy of the root zone. If an attacker was able to insert themselves into the network path between a recursive server using a mirror zone and a root name server, this vulnerability could then be used to cause the recursive server to accept a copy of falsified root zone data. This affects BIND versions 9.14.0 up to 9.14.6, and 9.15.0 up to 9.15.4.",Isc,Bind 9,5.9,MEDIUM,0.001879999996162951,false,,false,false,false,,,false,false,,2019-10-16T00:00:00.000Z,0
CVE-2018-5745,https://securityvulnerability.io/vulnerability/CVE-2018-5745,An assertion failure can occur if a trust anchor rolls over to an unsupported key algorithm when using managed-keys,"""managed-keys"" is a feature which allows a BIND resolver to automatically maintain the keys used by trust anchors which operators configure for use in DNSSEC validation. Due to an error in the managed-keys feature it is possible for a BIND server which uses managed-keys to exit due to an assertion failure if, during key rollover, a trust anchor's keys are replaced with keys which use an unsupported algorithm. Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P1, 9.12.0 -> 9.12.3-P1, and versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2018-5745.",Isc,Bind 9,4.9,MEDIUM,0.0007600000244565308,false,,false,false,false,,,false,false,,2019-10-09T16:15:00.000Z,0
CVE-2018-5744,https://securityvulnerability.io/vulnerability/CVE-2018-5744,A specially crafted packet can cause named to leak memory,"A failure to free memory can occur when processing messages having a specific combination of EDNS options. Versions affected are: BIND 9.10.7 -> 9.10.8-P1, 9.11.3 -> 9.11.5-P1, 9.12.0 -> 9.12.3-P1, and versions 9.10.7-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13 development branch are also affected.",Isc,Bind 9,7.5,HIGH,0.02515999972820282,false,,false,false,false,,,false,false,,2019-10-09T16:15:00.000Z,0
CVE-2018-5743,https://securityvulnerability.io/vulnerability/CVE-2018-5743,Limiting simultaneous TCP clients was ineffective,"By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The number of allowed connections is a tunable parameter which, if unset, defaults to a conservative value for most servers. Unfortunately, the code which was intended to limit the number of simultaneous connections contained an error which could be exploited to grow the number of simultaneous connections beyond this limit. Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.6, 9.12.0 -> 9.12.4, 9.14.0. BIND 9 Supported Preview Edition versions 9.9.3-S1 -> 9.11.5-S3, and 9.11.5-S5. Versions 9.13.0 -> 9.13.7 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2018-5743.",Isc,Bind 9,7.5,HIGH,0.0021200000774115324,false,,false,false,false,,,false,false,,2019-10-09T16:15:00.000Z,0