Unrated severityNVD Advisory· Published Feb 14, 2024· Updated Nov 4, 2025
CVE-2023-50387
CVE-2023-50387
Description
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.
Affected products
124- DNS protocol/DNS protocoldescription
- osv-coords123 versionspkg:apk/chainguard/bindpkg:apk/chainguard/bind-devpkg:apk/chainguard/bind-dnssec-rootpkg:apk/chainguard/bind-dnssec-toolspkg:apk/chainguard/bind-docpkg:apk/chainguard/bind-libspkg:apk/chainguard/bind-pluginspkg:apk/chainguard/bind-toolspkg:apk/wolfi/bindpkg:apk/wolfi/bind-devpkg:apk/wolfi/bind-dnssec-rootpkg:apk/wolfi/bind-dnssec-toolspkg:apk/wolfi/bind-docpkg:apk/wolfi/bind-libspkg:apk/wolfi/bind-pluginspkg:apk/wolfi/bind-toolspkg:rpm/almalinux/bindpkg:rpm/almalinux/bind9.16pkg:rpm/almalinux/bind9.16-chrootpkg:rpm/almalinux/bind9.16-develpkg:rpm/almalinux/bind9.16-dnssec-utilspkg:rpm/almalinux/bind9.16-docpkg:rpm/almalinux/bind9.16-libspkg:rpm/almalinux/bind9.16-licensepkg:rpm/almalinux/bind9.16-utilspkg:rpm/almalinux/bind-chrootpkg:rpm/almalinux/bind-develpkg:rpm/almalinux/bind-dnssec-docpkg:rpm/almalinux/bind-dnssec-utilspkg:rpm/almalinux/bind-docpkg:rpm/almalinux/bind-dyndb-ldappkg:rpm/almalinux/bind-export-develpkg:rpm/almalinux/bind-export-libspkg:rpm/almalinux/bind-libspkg:rpm/almalinux/bind-libs-litepkg:rpm/almalinux/bind-licensepkg:rpm/almalinux/bind-lite-develpkg:rpm/almalinux/bind-pkcs11pkg:rpm/almalinux/bind-pkcs11-develpkg:rpm/almalinux/bind-pkcs11-libspkg:rpm/almalinux/bind-pkcs11-utilspkg:rpm/almalinux/bind-sdbpkg:rpm/almalinux/bind-sdb-chrootpkg:rpm/almalinux/bind-utilspkg:rpm/almalinux/dnsmasqpkg:rpm/almalinux/dnsmasq-utilspkg:rpm/almalinux/python3-bindpkg:rpm/almalinux/python3-bind9.16pkg:rpm/almalinux/python3-unboundpkg:rpm/almalinux/unboundpkg:rpm/almalinux/unbound-develpkg:rpm/almalinux/unbound-libspkg:rpm/opensuse/bind&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/dnsmasq&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/dnsmasq&distro=openSUSE%20Leap%20Micro%205.5pkg:rpm/opensuse/pdns-recursor&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/unbound&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/unbound&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/bind&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6pkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP5pkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/bind&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/bind&distro=SUSE%20Manager%20Client%20Tools%20for%20SLE%20Micro%205pkg:rpm/suse/bind&distro=SUSE%20Manager%20Proxy%204.3pkg:rpm/suse/bind&distro=SUSE%20Manager%20Server%204.3pkg:rpm/suse/dnsmasq&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/dnsmasq&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/dnsmasq&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/dnsmasq&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/dnsmasq&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/dnsmasq&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/dnsmasq&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/dnsmasq&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/dnsmasq&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/dnsmasq&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/dnsmasq&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/dnsmasq&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6pkg:rpm/suse/dnsmasq&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/dnsmasq&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/dnsmasq&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/dnsmasq&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/dnsmasq&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/dnsmasq&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/dnsmasq&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/dnsmasq&distro=SUSE%20Manager%20Proxy%204.3pkg:rpm/suse/dnsmasq&distro=SUSE%20Manager%20Server%204.3pkg:rpm/suse/libuv&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/libuv&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/libuv&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/libuv&distro=SUSE%20Manager%20Client%20Tools%20for%20SLE%20Micro%205pkg:rpm/suse/pdns-recursor&distro=SUSE%20Package%20Hub%2015%20SP5pkg:rpm/suse/unbound&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/unbound&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/unbound&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/unbound&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/unbound&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/unbound&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/unbound&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/unbound&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6pkg:rpm/suse/unbound&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5pkg:rpm/suse/unbound&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6pkg:rpm/suse/unbound&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/unbound&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/unbound&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/unbound&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/unbound&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/unbound&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/unbound&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/unbound&distro=SUSE%20Manager%20Proxy%204.3pkg:rpm/suse/unbound&distro=SUSE%20Manager%20Server%204.3
< 9.18.24-r0+ 122 more
- (no CPE)range: < 9.18.24-r0
- (no CPE)range: < 9.18.24-r0
- (no CPE)range: < 9.18.24-r0
- (no CPE)range: < 9.18.24-r0
- (no CPE)range: < 9.18.24-r0
- (no CPE)range: < 9.18.24-r0
- (no CPE)range: < 9.18.24-r0
- (no CPE)range: < 9.18.24-r0
- (no CPE)range: < 9.18.24-r0
- (no CPE)range: < 9.18.24-r0
- (no CPE)range: < 9.18.24-r0
- (no CPE)range: < 9.18.24-r0
- (no CPE)range: < 9.18.24-r0
- (no CPE)range: < 9.18.24-r0
- (no CPE)range: < 9.18.24-r0
- (no CPE)range: < 9.18.24-r0
- (no CPE)range: < 32:9.11.36-11.el8_9.1
- (no CPE)range: < 32:9.16.23-0.16.el8_9.2.alma.1
- (no CPE)range: < 32:9.16.23-0.16.el8_9.2.alma.1
- (no CPE)range: < 32:9.16.23-0.16.el8_9.2.alma.1
- (no CPE)range: < 32:9.16.23-0.16.el8_9.2.alma.1
- (no CPE)range: < 32:9.16.23-0.16.el8_9.2.alma.1
- (no CPE)range: < 32:9.16.23-0.16.el8_9.2.alma.1
- (no CPE)range: < 32:9.16.23-0.16.el8_9.2.alma.1
- (no CPE)range: < 32:9.16.23-0.16.el8_9.2.alma.1
- (no CPE)range: < 32:9.11.36-11.el8_9.1
- (no CPE)range: < 32:9.11.36-11.el8_9.1
- (no CPE)range: < 32:9.16.23-14.el9_3.4
- (no CPE)range: < 32:9.16.23-14.el9_3.4
- (no CPE)range: < 32:9.16.23-14.el9_3.4
- (no CPE)range: < 11.9-8.el9_3.3.alma.1
- (no CPE)range: < 32:9.11.36-11.el8_9.1
- (no CPE)range: < 32:9.11.36-11.el8_9.1
- (no CPE)range: < 32:9.11.36-11.el8_9.1
- (no CPE)range: < 32:9.11.36-11.el8_9.1
- (no CPE)range: < 32:9.11.36-11.el8_9.1
- (no CPE)range: < 32:9.11.36-11.el8_9.1
- (no CPE)range: < 32:9.11.36-11.el8_9.1
- (no CPE)range: < 32:9.11.36-11.el8_9.1
- (no CPE)range: < 32:9.11.36-11.el8_9.1
- (no CPE)range: < 32:9.11.36-11.el8_9.1
- (no CPE)range: < 32:9.11.36-11.el8_9.1
- (no CPE)range: < 32:9.11.36-11.el8_9.1
- (no CPE)range: < 32:9.11.36-11.el8_9.1
- (no CPE)range: < 2.85-14.el9_3.1
- (no CPE)range: < 2.85-14.el9_3.1
- (no CPE)range: < 32:9.11.36-11.el8_9.1
- (no CPE)range: < 32:9.16.23-0.16.el8_9.2.alma.1
- (no CPE)range: < 1.16.2-5.el8_9.2
- (no CPE)range: < 1.16.2-5.el8_9.2
- (no CPE)range: < 1.16.2-5.el8_9.2
- (no CPE)range: < 1.16.2-5.el8_9.2
- (no CPE)range: < 9.16.48-150500.8.16.1
- (no CPE)range: < 2.90-150400.16.3.1
- (no CPE)range: < 2.90-150400.16.3.1
- (no CPE)range: < 4.8.6-bp155.2.3.1
- (no CPE)range: < 1.20.0-150100.10.13.1
- (no CPE)range: < 1.20.0-150600.23.3.1
- (no CPE)range: < 9.16.6-150300.22.44.1
- (no CPE)range: < 9.16.6-150000.12.74.2
- (no CPE)range: < 9.16.6-150300.22.44.1
- (no CPE)range: < 9.16.48-150400.5.40.1
- (no CPE)range: < 9.16.48-150400.5.40.1
- (no CPE)range: < 9.16.48-150500.8.16.1
- (no CPE)range: < 9.16.6-150300.22.44.1
- (no CPE)range: < 9.16.48-150500.8.16.1
- (no CPE)range: < 9.11.22-3.52.1
- (no CPE)range: < 9.16.6-150000.12.74.2
- (no CPE)range: < 9.16.6-150300.22.44.1
- (no CPE)range: < 9.16.48-150400.5.40.1
- (no CPE)range: < 9.11.22-3.52.1
- (no CPE)range: < 9.16.6-150000.12.74.2
- (no CPE)range: < 9.16.6-150300.22.44.1
- (no CPE)range: < 9.16.48-150400.5.40.1
- (no CPE)range: < 9.11.22-3.52.1
- (no CPE)range: < 9.16.6-150000.12.74.2
- (no CPE)range: < 9.16.48-150400.5.40.1
- (no CPE)range: < 9.16.48-150400.5.40.1
- (no CPE)range: < 2.90-150100.7.28.1
- (no CPE)range: < 2.90-150100.7.28.1
- (no CPE)range: < 2.90-150400.16.3.1
- (no CPE)range: < 2.90-150400.16.3.1
- (no CPE)range: < 2.90-150400.16.3.1
- (no CPE)range: < 2.90-150400.16.3.1
- (no CPE)range: < 2.90-150100.7.28.1
- (no CPE)range: < 2.90-150100.7.28.1
- (no CPE)range: < 2.90-150400.16.3.1
- (no CPE)range: < 2.90-150400.16.3.1
- (no CPE)range: < 2.90-150400.16.3.1
- (no CPE)range: < 2.90-150400.16.3.1
- (no CPE)range: < 2.90-150100.7.28.1
- (no CPE)range: < 2.90-150400.16.3.1
- (no CPE)range: < 2.90-150400.16.3.1
- (no CPE)range: < 2.90-150100.7.28.1
- (no CPE)range: < 2.90-150400.16.3.1
- (no CPE)range: < 2.90-150400.16.3.1
- (no CPE)range: < 2.90-1.1
- (no CPE)range: < 2.90-150400.16.3.1
- (no CPE)range: < 2.90-150400.16.3.1
- (no CPE)range: < 1.18.0-150000.3.2.1
- (no CPE)range: < 1.18.0-150000.3.2.1
- (no CPE)range: < 1.18.0-150000.3.2.1
- (no CPE)range: < 1.18.0-150000.3.2.1
- (no CPE)range: < 4.8.6-bp155.2.3.1
- (no CPE)range: < 1.20.0-150100.10.13.1
- (no CPE)range: < 1.20.0-150100.10.13.1
- (no CPE)range: < 1.20.0-150100.10.13.1
- (no CPE)range: < 1.20.0-150100.10.13.1
- (no CPE)range: < 1.20.0-150100.10.13.1
- (no CPE)range: < 1.20.0-150100.10.13.1
- (no CPE)range: < 1.20.0-150100.10.13.1
- (no CPE)range: < 1.20.0-150600.23.3.1
- (no CPE)range: < 1.20.0-150100.10.13.1
- (no CPE)range: < 1.20.0-150600.23.3.1
- (no CPE)range: < 1.20.0-150100.10.13.1
- (no CPE)range: < 1.20.0-150100.10.13.1
- (no CPE)range: < 1.20.0-150100.10.13.1
- (no CPE)range: < 1.20.0-150100.10.13.1
- (no CPE)range: < 1.20.0-150100.10.13.1
- (no CPE)range: < 1.20.0-150100.10.13.1
- (no CPE)range: < 1.21.0-1.1
- (no CPE)range: < 1.20.0-150100.10.13.1
- (no CPE)range: < 1.20.0-150100.10.13.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
30- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/mitrevendor-advisory
- www.openwall.com/lists/oss-security/2024/02/16/2mitremailing-list
- www.openwall.com/lists/oss-security/2024/02/16/3mitremailing-list
- lists.debian.org/debian-lts-announce/2024/02/msg00006.htmlmitremailing-list
- lists.debian.org/debian-lts-announce/2024/05/msg00011.htmlmitremailing-list
- access.redhat.com/security/cve/CVE-2023-50387mitre
- bugzilla.suse.com/show_bug.cgimitre
- docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.htmlmitre
- gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1mitre
- kb.isc.org/docs/cve-2023-50387mitre
- lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.htmlmitre
- msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387mitre
- news.ycombinator.com/itemmitre
- news.ycombinator.com/itemmitre
- nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/mitre
- security.netapp.com/advisory/ntap-20240307-0007/mitre
- www.athene-center.de/aktuelles/key-trapmitre
- www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdfmitre
- www.isc.org/blogs/2024-bind-security-release/mitre
- www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/mitre
- www.theregister.com/2024/02/13/dnssec_vulnerability_internet/mitre
News mentions
0No linked articles in our index yet.