Unrated severityNVD Advisory· Published Mar 9, 2009· Updated Apr 23, 2026

CVE-2009-0858

Description

The response_addname function in response.c in Daniel J. Bernstein djbdns 1.05 and earlier does not constrain offsets in the required manner, which allows remote attackers, with control over a third-party subdomain served by tinydns and axfrdns, to trigger DNS responses containing arbitrary records via crafted zone data for this subdomain.

Affected products

D.j.bernstein/Djbdns
cpe:2.3:a:d.j.bernstein:djbdns:*:*:*:*:*:*:*:*
Range: <=1.05

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

securityandthe.net/2009/03/05/security-issue-in-djbdns-confirmed/nvdPatch
www.securityfocus.com/bid/33937nvdExploit
it.slashdot.org/article.plnvd
marc.infonvd
marc.infonvd
secunia.com/advisories/35820nvd
www.debian.org/security/2009/dsa-1831nvd
www.securityfocus.com/archive/1/501294/100/0/threadednvd
www.securityfocus.com/archive/1/501340/100/0/threadednvd
www.securityfocus.com/archive/1/501479/100/0/threadednvd
exchange.xforce.ibmcloud.com/vulnerabilities/49003nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.011
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000