VYPR

Bind

by Isc

Source repositories

CVEs (201)

  • CVE-2025-8677HigOct 22, 2025
    risk 0.49cvss 7.5epss 0.11

    Querying for records within a specially crafted zone containing certain malformed DNSKEY records can lead to CPU exhaustion. This issue affects BIND 9 versions 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1…

  • CVE-2025-40777HigJul 16, 2025
    risk 0.49cvss 7.5epss 0.01

    If a `named` caching resolver is configured with `serve-stale-enable` `yes`, and with `stale-answer-client-timeout` set to `0` (the only allowable value other than `disabled`), and if the resolver, in the process of resolving a query, encounters a CNAME chain involving a…

  • CVE-2025-40775HigMay 21, 2025
    risk 0.49cvss 7.5epss 0.12

    When an incoming DNS protocol message includes a Transaction Signature (TSIG), BIND always checks it. If the TSIG contains an invalid value in the algorithm field, BIND immediately aborts with an assertion failure. This issue affects BIND 9 versions 9.20.0 through 9.20.8 and…

  • CVE-2024-12705HigJan 29, 2025
    risk 0.49cvss 7.5epss 0.16

    Clients using DNS-over-HTTPS (DoH) can exhaust a DNS resolver's CPU and/or memory by flooding it with crafted valid or invalid HTTP/2 traffic. This issue affects BIND 9 versions 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, and 9.18.11-S1 through…

  • CVE-2024-11187HigJan 29, 2025
    risk 0.49cvss 7.5epss 0.15

    It is possible to construct a zone such that some queries to it will generate responses containing numerous records in the Additional section. An attacker sending many such queries can cause either the authoritative server itself or an independent resolver to use…

  • CVE-2024-4076HigJul 23, 2024
    risk 0.49cvss 7.5epss 0.02

    Client queries that trigger serving stale data and that also require lookups in local authoritative zone data may result in an assertion failure. This issue affects BIND 9 versions 9.16.13 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.33-S1 through…

  • CVE-2024-1975HigJul 23, 2024
    risk 0.49cvss 7.5epss 0.02

    If a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed domain in cache, a client can exhaust resolver CPU resources by sending a stream of SIG(0) signed requests. This issue affects BIND 9 versions…

  • CVE-2024-1737HigJul 23, 2024
    risk 0.49cvss 7.5epss 0.02

    Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any RTYPE) can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. This issue affects BIND 9…

  • CVE-2016-1285MedMar 9, 2016
    risk 0.49cvss 6.8epss 0.59

    named in ISC BIND 9.x before 9.9.8-P4 and 9.10.x before 9.10.3-P4 does not properly handle DNAME records when parsing fetch reply messages, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a malformed packet to the rndc (aka…

  • CVE-2009-0265HigJan 26, 2009
    risk 0.49cvss 7.5epss 0.02

    Internet Systems Consortium (ISC) BIND 9.6.0 and earlier does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to…

  • CVE-2026-3593HigMay 20, 2026
    risk 0.48cvss 7.4epss 0.02

    A use-after-free vulnerability exists within the DNS-over-HTTPS implementation. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT…

  • CVE-2016-2088MedMar 9, 2016
    risk 0.46cvss 6.8epss 0.23

    resolver.c in named in ISC BIND 9.10.x before 9.10.3-P4, when DNS cookies are enabled, allows remote attackers to cause a denial of service (INSIST assertion failure and daemon exit) via a malformed packet with more than one cookie option.

  • CVE-2015-8705HigJan 20, 2016
    risk 0.46cvss 7.0epss 0.08

    buffer.c in named in ISC BIND 9.10.x before 9.10.3-P3, when debug logging is enabled, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit, or daemon crash) or possibly have unspecified other impact via (1) OPT data or (2) an ECS option.

  • CVE-2016-6170MedJul 6, 2016
    risk 0.45cvss 6.5epss 0.41

    ISC BIND through 9.9.9-P1, 9.10.x through 9.10.4-P1, and 9.11.x through 9.11.0b1 allows primary DNS servers to cause a denial of service (secondary DNS server crash) via a large AXFR response, and possibly allows IXFR servers to cause a denial of service (IXFR client crash) via…

  • CVE-2015-8704MedJan 20, 2016
    risk 0.44cvss 6.5epss 0.20

    apl_42.c in ISC BIND 9.x before 9.9.8-P3, 9.9.x, and 9.10.x before 9.10.3-P3 allows remote authenticated users to cause a denial of service (INSIST assertion failure and daemon exit) via a malformed Address Prefix List (APL) record.

  • CVE-2016-2775MedJul 19, 2016
    risk 0.43cvss 5.9epss 0.63

    ISC BIND 9.x before 9.9.9-P2, 9.10.x before 9.10.4-P2, and 9.11.x before 9.11.0b2, when lwresd or the named lwres option is enabled, allows remote attackers to cause a denial of service (daemon crash) via a long request that uses the lightweight resolver protocol.

  • CVE-2026-3119MedMar 25, 2026
    risk 0.42cvss 6.5epss 0.01

    Under certain conditions, `named` may crash when processing a correctly signed query containing a TKEY record. The affected code can only be reached if an incoming request has a valid transaction signature (TSIG) from a key declared in the `named` configuration. This issue…

  • CVE-2016-1284MedFeb 4, 2016
    risk 0.39cvss 5.9epss 0.03

    rdataset.c in ISC BIND 9 Supported Preview Edition 9.9.8-S before 9.9.8-S5, when nxdomain-redirect is enabled, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) via crafted flag values in a query.

  • CVE-1999-0011MedApr 8, 1998
    risk 0.36cvss 5.4epss 0.05

    Denial of Service vulnerabilities in BIND 4.9 and BIND 8 Releases via CNAME record and zone transfer.

  • CVE-2026-3591MedMar 25, 2026
    risk 0.35cvss 5.4epss 0.00

    A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly (mis)match an IP address. In a default-allow ACL (denying only specific IP…

Page 2 of 11