ISC Latest Vulnerabilities

July 23

Stale Data and Assertion Failures in BIND 9 Versions

CVE-2024-4076

IscBind 9👾7.5HIGH

Excessive CPU Usage for DNSSEC-Validated 'KEY' Resource Records in BIND 9

CVE-2024-1975

IscBind 9👾7.5HIGH

Degraded Performance in BIND Due to Large DNS Caches

CVE-2024-1737

IscBind 9👾7.5HIGH

DNS Server Unstable During Malicious DNS Message Flood

CVE-2024-0760

IscBind 9👾7.5HIGH

July 11

Stork TLS Certificate Validation Code Flawed, Leading to Potential Data Loss and Denial of Service

CVE-2024-28872

IscStork👾8.1HIGH

February 13

Named Resolver May Experience Infinite Loop of Cache Maintenance

CVE-2023-6516

IscBind 9👾7.5HIGH

Large ECS Record Cache Impairs Query Performance

CVE-2023-5680

ISCBIND 95.3MEDIUM

BIND named Crashes with DNS64 and Serve-Stale Interaction

CVE-2023-5679

IscBind 97.5HIGH

Premature Exit and Assertion Failure in BIND 9 Due to Query-Handling Code Flaw

CVE-2023-5517

IscBind 9👾7.5HIGH

High CPU Load in DNS Message Parsing Code Affects BIND 9 Versions

CVE-2023-4408

IscBind 97.5HIGH

September 20

A stack exhaustion flaw in control channel code may cause named to terminate unexpectedly

CVE-2023-3341

ISCBIND 97.5HIGH

named may terminate unexpectedly under high DNS-over-TLS query load

CVE-2023-4236

ISCBIND 97.5HIGH

June 21

named's configured cache size limit can be significantly exceeded

CVE-2023-2828

ISCBIND 97.5HIGH

Malformed NSEC records can cause named to terminate unexpectedly when synth-from-dnssec is enabled

CVE-2023-2829

ISCBIND 97.5HIGH

Exceeding the recursive-clients quota may cause named to terminate unexpectedly when stale-answer-client-timeout is set to 0

CVE-2023-2911

ISCBIND 97.5HIGH

January 26

An UPDATE message flood may cause named to exhaust all available memory

CVE-2022-3094

IscBind 9👾7.5HIGH

named may terminate unexpectedly when processing ECS options in repeated responses to iterative queries

CVE-2022-3488

IscBind 9👾7.5HIGH

named configured to answer from stale cache may terminate unexpectedly while processing RRSIG queries

CVE-2022-3736

IscBind 9👾7.5HIGH

January 25

named configured to answer from stale cache may terminate unexpectedly at recursive-clients soft quota

CVE-2022-3924

IscBind 9👾7.5HIGH

October 7

DHCP memory leak

CVE-2022-2929

IscIsc Dhcp👾6.5MEDIUM

An option refcount overflow exists in dhcpd

CVE-2022-2928

IscIsc Dhcp👾6.5MEDIUM

September 21

Memory leaks in code handling Diffie-Hellman key exchange via TKEY RRs (OpenSSL 3.0.0+ only)

CVE-2022-2906

IscBind9👾7.5HIGH

Processing large delegations may severely degrade resolver performance

CVE-2022-2795

IscBind9👾5.3MEDIUM

Memory leaks in EdDSA DNSSEC verification code

CVE-2022-38178

IscBind9👾7.5HIGH

BIND 9 resolvers configured to answer from stale cache with zero stale-answer-client-timeout may terminate unexpectedly

CVE-2022-3080

IscBind9👾7.5HIGH

Memory leak in ECDSA DNSSEC verification code

CVE-2022-38177

IscBind9👾7.5HIGH

Buffer overread in statistics channel code

CVE-2022-2881

IscBind9👾5.5MEDIUM

May 19

Destroying a TLS session early causes assertion failure

CVE-2022-1183

IscBind9👾7.5HIGH

March 23

CVE-2022-0635

IscBind7.5HIGH

DoS from specifically crafted TCP packets

CVE-2022-0396

IscBind5.3MEDIUM

DNS forwarders - cache poisoning vulnerability

CVE-2021-25220

IscBind6.8MEDIUM

March 22

Assertion failure on delayed DS lookup

CVE-2022-0667

IscBind7.5HIGH

October 27

Lame cache can be abused to severely degrade resolver performance

CVE-2021-25219

IscBind9👾5.3MEDIUM

August 18

A too-strict assertion check could be triggered when responses in BIND 9.16.19 and 9.17.16 require UDP fragmentation if RRL is in use

CVE-2021-25218

IscBind9👾7.5HIGH

May 26

A buffer overrun in lease file parsing code can be used to exploit a common vulnerability shared by dhcpd and dhclient

CVE-2021-25217

IscIsc Dhcp👾7.4HIGH

April 29

A broken inbound incremental zone update (IXFR) can cause named to terminate unexpectedly

CVE-2021-25214

IscBind9👾6.5MEDIUM

An assertion check can fail while answering queries for DNAME records that require the DNAME to be processed to resolve itself

CVE-2021-25215

IscBind9👾7.5HIGH

A second vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack

CVE-2021-25216

IscBind9👾8.1HIGH

February 17

A vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack

CVE-2020-8625

IscBind98.1HIGH

August 21

A flaw in native PKCS#11 code can lead to a remotely triggerable assertion failure in pk11.c

CVE-2020-8623

IscBind9👾7.5HIGH

update-policy rules of type "subdomain" are enforced incorrectly

Attempting QNAME minimization after forwarding can lead to an assertion failure in resolver.c

CVE-2020-8621

IscBind9👾7.5HIGH

A truncated TSIG response can lead to an assertion failure

CVE-2020-8622

IscBind9👾6.5MEDIUM

June 17

A buffer boundary check assertion in rdataset.c can fail incorrectly during zone transfer

CVE-2020-8619

IscBind94.9MEDIUM

A buffer boundary check assertion in rdataset.c can fail incorrectly during zone transfer

CVE-2020-8618

IscBind94.9MEDIUM

May 19

BIND does not sufficiently limit the number of fetches performed when processing referrals

CVE-2020-8616

IscBind98.6HIGH

A logic error in code which checks TSIG validity can be used to trigger an assertion failure in tsig.c

CVE-2020-8617

IscBind9👾7.5HIGH

November 20

TCP-pipelined queries can bypass tcp-clients limit

CVE-2019-6477

IscBind97.5HIGH

November 5

CVE-2013-5661

IscBind5.9MEDIUM

October 16

An error in QNAME minimization code can cause BIND to exit with an assertion failure

CVE-2019-6476

IscBind 95.9MEDIUM

A flaw in mirror zone validity checking can allow zone data to be spoofed

CVE-2019-6475

IscBind 95.9MEDIUM

October 9

A specially constructed response from a malicious server can cause a buffer overflow in dhclient

CVE-2018-5732

IscIsc Dhcp7.5HIGH

Limiting simultaneous TCP clients was ineffective

CVE-2018-5743

IscBind 97.5HIGH

An assertion failure can occur if a trust anchor rolls over to an unsupported key algorithm when using managed-keys

CVE-2018-5745

IscBind 94.9MEDIUM

A specially crafted packet can cause named to leak memory

CVE-2018-5744

IscBind 97.5HIGH

August 28

A packet containing a malformed DUID can cause the kea-dhcp6 server to terminate

CVE-2019-6473

IscKea6.5MEDIUM

A packet containing a malformed DUID can cause the kea-dhcp6 server to terminate

CVE-2019-6474

IscKea5.7MEDIUM

A packet containing a malformed DUID can cause the kea-dhcp6 server to terminate

CVE-2019-6472

IscKea6.5MEDIUM

June 19

A race condition when discarding malformed packets can cause BIND to exit with an assertion failure

CVE-2019-6471

IscBind 95.9MEDIUM

May 29

BIND Supported Preview Edition can exit with an assertion failure if ECS is in use

CVE-2019-6469

IscBind 9 Supported Previ...5.9MEDIUM

April 24

An error in the nxdomain redirect feature can cause BIND to exit with an INSIST assertion failure in query.c

CVE-2019-6467

IscBind 9👾5.9MEDIUM

BIND Supported Preview Edition can exit with an assertion failure if nxdomain-redirect is used

CVE-2019-6468

IscBind 9 Supported Previ...5.3MEDIUM

February 21

Zone transfer controls for writable DLZ zones were not effective

CVE-2019-6465

IscBind 95.3MEDIUM

January 16

Windows service and uninstall paths are not quoted when BIND is installed

CVE-2017-3141

IscBind 9👾7.2HIGH

An error processing RPZ rules can cause named to loop endlessly after handling a query

CVE-2017-3140

IscBind 93.7LOW

Failure to properly clean up closed OMAPI connections can exhaust available sockets

CVE-2017-3144

IscIsc Dhcp5.3MEDIUM

named exits with a REQUIRE assertion failure if it receives a null command string on its control channel

CVE-2017-3138

IscBind 96.5MEDIUM

An error handling certain queries using the nxdomain-redirect feature could cause a REQUIRE assertion failure in db.c

CVE-2016-9778

IscBind 97.5HIGH

An error handling synthesized records could cause an assertion failure when using DNS64 with "break-dnssec yes;"

CVE-2017-3136

IscBind 95.9MEDIUM

Improper fetch cleanup sequencing in the resolver can cause named to crash

CVE-2017-3145

IscBind 97.5HIGH

BIND 9.12's serve-stale implementation can cause an assertion failure in rbtdb.c or other undesirable behavior, even if serve-stale is not enabled.

CVE-2018-5737

IscBind 95.9MEDIUM

Failure to release memory may exhaust system resources

CVE-2018-5739

IscKea Dhcp6.5MEDIUM

A flaw in the "deny-answer-aliases" feature can cause an assertion failure in named

CVE-2018-5740

IscBind 9👾7.5HIGH

A malicious client can overflow a reference counter in ISC dhcpd

CVE-2018-5733

IscIsc Dhcp5.9MEDIUM

Update policies krb5-subdomain and ms-subdomain do not enforce controls promised in their documentation

CVE-2018-5741

IscBind 96.5MEDIUM

Some versions of BIND can improperly permit recursive query service to unauthorized clients

CVE-2018-5738

IscBind 9👾5.3MEDIUM

A malformed request can trigger an assertion failure in badcache.c

CVE-2018-5734

IscBind 97.5HIGH

An error in TSIG authentication can permit unauthorized dynamic updates

CVE-2017-3143

IscBind 9👾7.5HIGH

A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME

June 29

An error in TSIG authentication can permit unauthorized zone transfers

CVE-2017-3142

IscBind 95.3MEDIUM

February 8

Combination of DNS64 and RPZ Can Lead to Crash

CVE-2017-3135

IscBind 97.5HIGH

January 12

November 2

CVE-2016-8864

IscBind7.5HIGH

October 21

CVE-2016-2848

IscBind7.5HIGH

July 6

CVE-2016-6170

IscBind6.5MEDIUM

March 9

February 4

CVE-2016-1284

IscBind5.9MEDIUM

January 20

December 22

CVE-2015-8373

IscKea6.8MEDIUM

December 16

CVE-2015-8461

IscBind

September 5