---
title: "BIND 9 Software Vulnerability Matrix"
slug: "aa-00913"
description: "The BIND 9 Security Vulnerability Matrix is a tool to help DNS operators understand the current security risk for a given version of BIND."
tags: ["bind 9", "BIND 9-S", "security", "Security Vulnerability Matrix", "vulnerability"]
status: "update"
updated: 2026-06-12T02:26:26Z
published: 2026-06-12T02:26:26Z
canonical: "kb.isc.org/aa-00913"
---

> ## Documentation Index
> Fetch the complete documentation index at: https://kb.isc.org/llms.txt
> Use this file to discover all available pages before exploring further.

# BIND 9 Software Vulnerability Matrix

The BIND 9 Software Vulnerability Matrix details known security vulnerabilities in supported versions of BIND. Vulnerabilities are identified by their CVE ID: [Common Vulnerabilities and Exposures](https://www.cve.org/).

This page was previously called the "BIND 9 Security Vulnerability Matrix".

## Using this matrix

Each row with a CVE ID gives the version(s) that fix that problem.

### Determining vulnerability

To determine if/how a **given version** is vulnerable:

- Find the column heading for the corresponding branch (9.X version)
- Read down that column to find the specific 9.X.Y version (or use "Find" in your browser)

To determine if a **given CVE** applies:

- Read down the "CVE ID" column to find the CVE ID (or use "Find" in your browser)
- If you do not know the CVE ID, consult the [complete list of all BIND advisories](/docs/all-bind-advisories)

Once you find a given table row (CVE ID and/or version):

- The listed version(s) contain fixes for that CVE, and are ***not*** vulnerable to that CVE
- A dash (-) indicates no version of that branch (column) is vulnerable
- Any CVEs listed above that version apply: That versions ***is*** vulnerable to ***later*** CVEs
- Any CVEs listed below that version do ***not*** apply: That version is ***not*** vulnerable to ***earlier*** CVEs

For table rows without a CVE:

- A dash (-) indicates that row does not apply to that branch (column)

### Supported Preview Edition

- Most CVEs apply equally to both the open source edition and the Supported Preview Edition (-S).
- If a row lists the `-S1` suffix, the CVE applies ***only*** to the Supported Preview Edition.
- If no `-S1` suffix is present, the CVE applies to both editions.

### Other BIND versions

The major branches on this page will always reflect the currently-supported stable branch(es) of BIND. See [ISC's Software Support Policy and Version Numbering](/docs/aa-00896).

Older branches of BIND are no longer supported, generally do not receive fixes, and may not even be assessed for vulnerability. For historical reference, please see [matrices for obsolete branches](/docs/obsolete-bind-vulnerability-lists).

Development, alpha, beta, or release candidate (RC) versions are not listed here. We recommend that you use only stable branches in any environment for which security is a concern.

## The matrix

Each row with a CVE ID gives the version(s) that fix that problem.

| Release Date | CVE ID | 9.18 | 9.20 |
| --- | --- | --- | --- |
| 2026-05-20 | [CVE-2026-3039](/docs/cve-2026-3039) | 9.18.49 | 9.20.23 |
| 2026-05-20 | [CVE-2026-3592](/docs/cve-2026-3592) | 9.18.49 | 9.20.23 |
| 2026-05-20 | [CVE-2026-3593](/docs/cve-2026-3593) | - | 9.20.23 |
| 2026-05-20 | [CVE-2026-5946](/docs/cve-2026-5946) | 9.18.49 | 9.20.23 |
| 2026-05-20 | [CVE-2026-5947](/docs/cve-2026-5947) | - | 9.20.23 |
| 2026-05-20 | [CVE-2026-5950](/docs/cve-2026-5950) | 9.18.49 | 9.20.23 |
| 2026-04-01 | No CVEs fixed in this release | 9.18.48 | 9.20.22 |
| 2026-03-25 | [CVE-2026-1519](/docs/cve-2026-1519) | 9.18.47 | 9.20.21 |
| 2026-03-25 | [CVE-2026-3104](/docs/cve-2026-3104) | - | 9.20.21 |
| 2026-03-25 | [CVE-2026-3119](/docs/cve-2026-3119) | - | 9.20.21 |
| 2026-03-25 | [CVE-2026-3591](/docs/cve-2026-3591) | - | 9.20.21 |
| 2026-02-27 | No CVEs fixed in this release | 9.18.46 | 9.20.20 |
| 2026-02-18 | No CVEs fixed in this release | 9.18.45 | 9.20.19 |
| 2026-01-21 | [CVE-2025-13878](/docs/cve-2025-13878) | 9.18.44 | 9.20.18 |
| 2025-12-17 | No CVEs fixed in this release | 9.18.43 | 9.20.17 |
| 2025-11-19 | No CVEs fixed in this release | 9.18.42 | 9.20.16 |
| 2025-10-22 | [CVE-2025-8677](/docs/cve-2025-8677) | 9.18.41 | 9.20.15 |
| 2025-10-22 | [CVE-2025-40778](/docs/cve-2025-40778) | 9.18.41 | 9.20.15 |
| 2025-10-22 | [CVE-2025-40780](/docs/cve-2025-40780) | 9.18.41 | 9.20.15 |
| 2025-10-08 | Release Withdrawn | 9.18.40 | 9.20.14 |
| 2025-09-10 | No CVEs fixed in this release | - | 9.20.13 |
| 2025-08-20 | No CVEs fixed in this release | 9.18.39 | 9.20.12 |
| 2025-07-16 | [CVE-2025-40776](/docs/cve-2025-40776) | 9.18.38-S1 | 9.20.11-S1 |
| 2025-07-16 | [CVE-2025-40777](/docs/cve-2025-40777) | - | 9.20.11 |
| 2025-06-18 | No CVEs fixed in this release | - | 9.20.10 |
| 2025-05-21 | No CVEs fixed in this release | 9.18.37 | - |
| 2025-05-21 | [CVE-2025-40775](/docs/cve-2025-40775) | - | 9.20.9 |
| 2025-04-16 | No CVEs fixed in this release | 9.18.36 | 9.20.8 |
| 2025-03-19 | No CVEs fixed in this release | 9.18.35 | 9.20.7 |
| 2025-02-19 | No CVEs fixed in this release | 9.18.34 | 9.20.6 |
| 2025-01-29 | [CVE-2024-11187](/docs/cve-2024-11187) | 9.18.33 | 9.20.5 |
| 2025-01-29 | [CVE-2024-12705](/docs/cve-2024-12705) | 9.18.33 | 9.20.5 |
| 2024-12-11 | No CVEs fixed in this release | 9.18.32 | 9.20.4 |
| 2024-10-16 | No CVEs fixed in this release | 9.18.31 | 9.20.3 |
| 2024-09-18 | No CVEs fixed in this release | 9.18.30 | 9.20.2 |
| 2024-08-21 | No CVEs fixed in this release | 9.18.29 | 9.20.1 |
| 2024-07-23 | No CVEs fixed in this release | - | 9.20.0 |
| 2024-07-23 | [CVE-2024-0760](/docs/cve-2024-0760) | 9.18.28 | - |
| 2024-07-23 | [CVE-2024-1737](/docs/cve-2024-1737) | 9.18.28 | - |
| 2024-07-23 | [CVE-2024-1975](/docs/cve-2024-1975) | 9.18.28 | - |
| 2024-07-23 | [CVE-2024-4076](/docs/cve-2024-4076) | 9.18.28 | - |
| 2024-05-15 | No CVEs fixed in this release | 9.18.27 | - |
| 2024-04-17 | No CVEs fixed in this release | 9.18.26 | - |
| 2024-03-20 | No CVEs fixed in this release | 9.18.25 | - |
| 2024-02-13 | [CVE-2023-4408](/docs/cve-2023-4408) | 9.18.24 | - |
| 2024-02-13 | [CVE-2023-5517](/docs/cve-2023-5517) | 9.18.24 | - |
| 2024-02-13 | [CVE-2023-5679](/docs/cve-2023-5679) | 9.18.24 | - |
| 2024-02-13 | [CVE-2023-5680](/docs/cve-2023-5680) | 9.18.24-S1 | - |
| 2024-02-13 | [CVE-2023-6516](/docs/cve-2023-6516) | - | - |
| 2024-02-13 | [CVE-2023-50387](/docs/cve-2023-50387) | 9.18.24 | - |
| 2024-02-13 | [CVE-2023-50868](/docs/cve-2023-50868) | 9.18.24 | - |
| 2024-01-15 | Release Withdrawn | 9.18.23 | - |
| 2024-01-15 | Release Withdrawn | 9.18.22 | - |
| 2023-12-20 | No CVEs fixed in this release | 9.18.21 | - |
| 2023-11-15 | No CVEs fixed in this release | 9.18.20 | - |
| 2023-09-20 | [CVE-2023-3341](/docs/cve-2023-3341) | 9.18.19 | - |
| 2023-09-20 | [CVE-2023-4236](/docs/cve-2023-4236) | 9.18.19 | - |
| 2023-08-16 | No CVEs fixed in this release | 9.18.18 | - |
| 2023-07-19 | No CVEs fixed in this release | 9.18.17 | - |
| 2023-06-21 | [CVE-2023-2828](/docs/cve-2023-2828) | 9.18.16 | - |
| 2023-06-21 | [CVE-2023-2829](/docs/cve-2023-2829) | 9.18.16-S1 | - |
| 2023-06-21 | [CVE-2023-2911](/docs/cve-2023-2911) | 9.18.16 | - |
| 2023-05-17 | No CVEs fixed in this release | 9.18.15 | - |
| 2023-04-19 | No CVEs fixed in this release | 9.18.14 | - |
| 2023-03-15 | No CVEs fixed in this release | 9.18.13 | - |
| 2023-02-15 | No CVEs fixed in this release | 9.18.12 | - |
| 2023-01-25 | [CVE-2022-3094](/docs/cve-2022-3094) | 9.18.11 | - |
| 2023-01-25 | [CVE-2022-3488](/docs/cve-2022-3488) | - | - |
| 2023-01-25 | [CVE-2022-3736](/docs/cve-2022-3736) | 9.18.11 | - |
| 2023-01-25 | [CVE-2022-3924](/docs/cve-2022-3924) | 9.18.11 | - |
| 2022-12-21 | No CVEs fixed in this release | 9.18.10 | - |
| 2022-11-16 | No CVEs fixed in this release | 9.18.9 | - |
| 2022-10-19 | No CVEs fixed in this release | 9.18.8 | - |
| 2022-09-21 | [CVE-2022-2795](/docs/cve-2022-2795) | 9.18.7 | - |
| 2022-09-21 | [CVE-2022-2881](/docs/cve-2022-2881) | 9.18.7 | - |
| 2022-09-21 | [CVE-2022-2906](/docs/cve-2022-2906) | 9.18.7 | - |
| 2022-09-21 | [CVE-2022-3080](/docs/cve-2022-3080) | 9.18.7 | - |
| 2022-09-21 | [CVE-2022-38177](/docs/cve-2022-38177) | - | - |
| 2022-09-21 | [CVE-2022-38178](/docs/cve-2022-38178) | 9.18.7 | - |
| 2022-08-17 | No CVEs fixed in this release | 9.18.6 | - |
| 2022-07-20 | No CVEs fixed in this release | 9.18.5 | - |
| 2022-06-15 | No CVEs fixed in this release | 9.18.4 | - |
| 2022-05-18 | [CVE-2022-1183](/docs/cve-2022-1183) | 9.18.3 | - |
| 2022-04-20 | No CVEs fixed in this release | 9.18.2 | - |
| 2022-03-16 | [CVE-2021-25220](/docs/cve-2021-25220) | 9.18.1 | - |
| 2022-03-16 | [CVE-2022-0396](/docs/cve-2022-0396) | 9.18.1 | - |
| 2022-03-16 | [CVE-2022-0635](/docs/cve-2022-0635) | 9.18.1 | - |
| 2022-03-16 | [CVE-2022-0667](/docs/cve-2022-0667) | 9.18.1 | - |
| 2022-01-26 | No CVEs fixed in this release | 9.18.0 | - |

## Related

- [ISC CVSS Scoring Guidelines](/isc-cvss-scoring-guidelines.md)
- [ISC Software Defect and Vulnerability Disclosure Policy](/aa-00861.md)
- [ISC's Software Support Policy and Version Numbering](/aa-00896.md)