BIND 9 Security Vulnerability Matrix
  • 13 Feb 2024
  • 16 Minutes to read
  • Contributors
  • Dark
    Light
  • PDF

BIND 9 Security Vulnerability Matrix

  • Dark
    Light
  • PDF

Article Summary

The BIND 9 Security Vulnerability Matrix is a tool to help DNS operators understand the current security risk for a given version of BIND. It has two parts:

  • The first part is a table listing all of the vulnerabilities covered by this page. The first column is a reference number for use in the tables in the second part. The second column is the CVE (Common Vulnerabilities and Exposure) number for the vulnerability, linked to its page on cve.mitre.org. The third column is a short description of the vulnerability, linked (where possible) to the article in this Knowledgebase on the vulnerability.
  • The second part is a table for each branch of BIND, listing all of the releases in that branch along the side and vulnerabilities along the top. If a vulnerability number is less than the lowest column heading, that branch does not have any versions with it. If a vulnerability number is greater than the highest column heading, that branch has not been tested and should be assumed to be vulnerable.

For example, if you use the top table to look up CVE-2022-0396, you will see that it cross references to #126. You can look for column #126 in the lower charts and see which versions are vulnerable. If you were still running BIND 9.16.26 you would know to upgrade.

We do not generally list alpha, beta or release candidate (RC) versions here, and recommend that you use only released software in any environment in which security could be an issue. This page explains our version numbering system.

Vulnerability information for EOL (End of Life) versions of BIND 9 (9.0 through 9.15) and below are included only for vulnerabilities discovered before (or in some cases shortly after) the EOL date. These versions are all known to be affected by some vulnerabilities discovered after their EOL date.

Using obsolete versions of BIND
We recommend that you not use obsolete versions of any ISC software; it was updated for a reason. Listings of vulnerabilities affecting obsolete versions of BIND have been split into articles grouped by branch: 9.0, 9.1, 9.2, 9.3, 9.4/9.4‑ESV, 9.5, 9.6/9.6‑ESV, 9.7, 9.8, 9.9, 9.9‑S, 9.10, 9.10‑S, 9.11, 9.11-S, 9.12, 9.13, 9.14, and 9.15.

Listing of Vulnerabilities affecting current branches of BIND

# CVE Number Short Description
151 2023-50868 Preparing an NSEC3 closest encloser proof can exhaust CPU resources
150 2023-50387 KeyTrap - Extreme CPU consumption in DNSSEC validator
149 2023-6516 Specific recursive query patterns may lead to an out-of-memory condition
148 2023-5680 Cleaning an ECS-enabled cache may cause excessive CPU load
147 2023-5679 Enabling both DNS64 and serve-stale may cause an assertion failure during recursive resolution
146 2023-5517 Querying RFC 1918 reverse zones may cause an assertion failure when "nxdomain-redirect" is enabled
145 2023-4408 Parsing large DNS messages may cause excessive CPU load
144 2023-4236 named may terminate unexpectedly under high DNS-over-TLS query load
143 2023-3341 A stack exhaustion flaw in control channel code may cause named to terminate unexpectedly
142 2023-2911 Exceeding the recursive-clients quota may cause named to terminate unexpectedly when stale-answer-client-timeout is set to 0
141 2023-2829 Malformed NSEC records can cause named to terminate unexpectedly when synth-from-dnssec is enabled
140 2023-2828 named's configured cache size limit can be significantly exceeded
139 2022-3924 named configured to answer from stale cache may terminate unexpectedly at recursive-clients soft quota
138 2022-3736 named configured to answer from stale cache may terminate unexpectedly while processing RRSIG queries
137 2022-3488 BIND Supported Preview Edition named may terminate unexpectedly when processing ECS options in repeated responses to iterative queries
136 2022-3094 An UPDATE message flood may cause named to exhaust all available memory
135 2022-38178 Memory leaks in EdDSA DNSSEC verification code
134 2022-38177 Memory leak in ECDSA DNSSEC verification code
133 2022-3080 BIND 9 resolvers configured to answer from stale cache with zero stale-answer-timeout may terminate unexpectedly
132 2022-2906 Memory leaks in code handling Diffie-Hellman key exchange via TKEY RRs (OpenSSL 3.0.0+ only)
131 2022-2881 Buffer overread in statistics channel code
130 2022-2795 Processing large delegations may severely degrade resolver performance
129 2022-1183 Destroying TLS session early triggers assertion failure
128 2022-0667 Assertion failure on delayed DS lookup
127 2022-0635 DNAME insist with synth-from-dnssec enabled
126 2022-0396 DoS from specifically crafted TCP packets
125 2021-25220 DNS forwarders - cache poisoning vulnerability
124 2021-25219 Lame cache can be abused to severely degrade resolver performance
123 2021-25218 A too-strict assertion check could be triggered when responses in BIND 9.16.19 and 9.17.16 require UDP fragmentation if RRL is in use
122 2021-25216 A vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack
121 2021-25215 Crash while answering queries for DNAME records that require the DNAME to be processed to resolve itself
120 2021-25214 A broken inbound incremental zone update (IXFR) can cause named to terminate unexpectedly
119 2020-8625 A vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack
118 2020-8624 update-policy" rules of type "subdomain" are enforced incorrectly
117 2020-8623 A flaw in native PKCS#11 code can lead to a remotely triggerable assertion failure in pk11.c
116 2020-8622 A truncated TSIG response can lead to an assertion failure
115 2020-8621 Attempting QNAME minimization after forwarding can lead to an assertion failure in resolver.c"
114 2020-8620 A specially crafted large TCP payload can trigger an assertion failure in tcpdns.c
113 2020-8619 An asterisk character in an empty non-terminal can cause an assertion failure in rbtdb.c
112 2020-8618 A buffer boundary check assertion in rdataset.c can fail incorrectly during zone transfer
111 2020-8617 A logic error in code which checks TSIG validity can be used to trigger an assertion failure in tsig.c
110 2020-8616 BIND does not sufficiently limit the number of fetches when chasing referrals
Why don't the reference numbers begin at 1?
Our reference numbering started with BIND 8. We have since separated the information for BIND 8 and also obsolete branches of BIND 9. To reduce the possibility of confusion when referring to the individual pages we have chosen to maintain uniform numbering across all of them matching the historic numbering, including gaps where some reports affected only BIND 8. As major branches of BIND have reached EOL (End of Life), the lowest numbered vulnerability affecting our current versions has increased. Issues only affecting obsolete branches of BIND have been moved to a separate section later in this KB.
Why are some versions of BIND crossed out?

This BIND Security Vulnerability Matrix includes some versions of BIND that were built and then withdrawn due to regressions discovered late in the release process or, in some instances, subsequent to public release.

BIND 9.19

BIND 9.19 is a development/experimental version of BIND.

ver/CVE 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151
9.19.21
9.19.20 + +
9.19.19 + + + + +
9.19.18 + + + + +
9.19.17 + + + + +
9.19.16 + + + + + +
9.19.15 + + + + + +
9.19.14 + + + + + +
9.19.13 + + + + + + +
9.19.12 + + + + + + +
9.19.11 + + + + + + +
9.19.10 + + + + + + +
9.19.9 + + + + + + +
9.19.8 + + + + + + + + + +
9.19.7 + + + + + + + + + +
9.19.6 + + + + + + + + + +
9.19.5 + + + + + + + + + +
9.19.4 + + + + + + + + + + + + + +
9.19.3 + + + + + + + + + + + + + +
9.19.2 + + + + + + + + + + + + + +
9.19.1 + + + + + + + + + + + + + +
9.19.0 + + + + + + + + + + + + + + +

BIND 9.18 is the current stable branch of BIND.

ver/CVE 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151
9.18.24
9.18.23
9.18.22 + +
9.18.21 + + + + +
9.18.20 + + + + +
9.18.19 + + + + +
9.18.18 + + + + + + +
9.18.17 + + + + + + +
9.18.16 + + + + + + +
9.18.15 + + + + + + + + +
9.18.14 + + + + + + + + +
9.18.13 + + + + + + + + +
9.18.12 + + + + + + + + +
9.18.11 + + + + + + + + +
9.18.10 + + + + + + + + + + + +
9.18.9 + + + + + + + + + + + +
9.18.8 + + + + + + + + + + + +
9.18.7 + + + + + + + + + + + +
9.18.6 + + + + + + + + + + + + + + + +
9.18.5 + + + + + + + + + + + + + + + +
9.18.4 + + + + + + + + + + + + + + + +
9.18.3 + + + + + + + + + + + + + + + +
9.18.2 + + + + + + + + + + + + + + + + +
9.18.1 + + + + + + + + + + + + + + + + +
9.18.0 + + + + + + + + + + + + + + + + + + + + +

BIND 9.16

9.16 is the current Extended Support Version (ESV) of BIND.

ver/CVE 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151
9.16.48
9.16.47
9.16.46 + +
9.16.45 + + + + + +
9.16.44 + + + + + +
9.16.43 + + + + + + +
9.16.42 + + + + + + +
9.16.41 + + + + + + + + +
9.16.40 + + + + + + + + +
9.16.39 + + + + + + + + +
9.16.38 + + + + + + + + +
9.16.37 + + + + + + + + +
9.16.36 + + + + + + + + + + + +
9.16.35 + + + + + + + + + + + +
9.16.34 + + + + + + + + + + + +
9.16.33 + + + + + + + + + + + +
9.16.32 + + + + + + + + + + + + + + +
9.16.31 + + + + + + + + + + + + + + +
9.16.30 + + + + + + + + + + + + + + +
9.16.29 + + + + + + + + + + + + + + +
9.16.28 + + + + + + + + + + + + + + +
9.16.27 + + + + + + + + + + + + + + +
9.16.26 + + + + + + + + + + + + + + + + +
9.16.25 + + + + + + + + + + + + + + + + +
9.16.24 + + + + + + + + + + + + + + + + +
9.16.23 + + + + + + + + + + + + + + + + +
9.16.22 + + + + + + + + + + + + + + + + +
9.16.21 + + + + + + + + + + + + + + + + + +
9.16.20 + + + + + + + + + + + + + + + + + +
9.16.19 + + + + + + + + + + + + + + + + + + +
9.16.18 + + + + + + + + + + + + + + + + + +
9.16.17 + + + + + + + + + + + + + + + + + +
9.16.16 + + + + + + + + + + + + + + + + + +
9.16.15 + + + + + + + + + + + + + + + + + +
9.16.14 + + + + + + + + + + + + + + + + + +
9.16.13 + + + + + + + + + + + + + + + + + + + +
9.16.12 + + + + + + + + + + + + + + + + + + + +
9.16.11 + + + + + + + + + + + + + + + + + + +
9.16.10 + + + + + + + + + + + + + + + + + +
9.16.9 + + + + + + + + + + + + + + + + + +
9.16.8 + + + + + + + + + + + + + + + + + +
9.16.7 + + + + + + + + + + + + + + + + + +
9.16.6 + + + + + + + + + + + + + + + + + +
9.16.5 + + + + + + + + + + + + + + + + + + + + + + +
9.16.4 + + + + + + + + + + + + + + + + + + + + + + +
9.16.3 + + + + + + + + + + + + + + + + + + + + + + + + +
9.16.2 + + + + + + + + + + + + + + + + + + + + + + + + + + +
9.16.1 + + + + + + + + + + + + + + + + + + + + + + + + + + +
9.16.0 + + + + + + + + + + + + + + + + + + + + + + + + + + +

BIND 9.18 Supported Preview edition

If you'd like more information on our product support or about our BIND Subscription version, please visit https://www.isc.org/bind.

ver/CVE 140 141 142 143 144 145 146 147 148 149 150 151
9.18.24-S1
9.18.23-S1
9.18.22-S1 + +
9.18.21-S1 + + + + + +
9.18.20-S1 + + + + + +
9.18.19-S1 + + + + + +
9.18.18-S1 + + + + + + + +
9.18.17-S1 + + + + + + + +
9.18.16-S1 + + + + + + + +
9.18.15-S1 + + + + + + + + + + +
9.18.14-S1 + + + + + + + + + + +
9.18.13-S1 + + + + + + + + + + +
9.18.12-S1 + + + + + + + + + + +
9.18.11-S1 + + + + + + + + + + +

BIND 9.16 Supported Preview edition

If you'd like more information on our product support or about our BIND Subscription version, please visit https://www.isc.org/bind.

ver/CVE 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151
9.16.48-S1
9.16.47-S1
9.16.46-S1 + +
9.16.45-S1 + + + + + + +
9.16.44-S1 + + + + + + +
9.16.43-S1 + + + + + + + +
9.16.42-S1 + + + + + + + +
9.16.41-S1 + + + + + + + + + + +
9.16.40-S1 + + + + + + + + + + +
9.16.39-S1 + + + + + + + + + + +
9.16.38-S1 + + + + + + + + + + +
9.16.37-S1 + + + + + + + + + + +
9.16.36-S1 + + + + + + + + + + + + + + +
9.16.35-S1 + + + + + + + + + + + + + + +
9.16.34-S1 + + + + + + + + + + + + + + +
9.16.33-S1 + + + + + + + + + + + + + + +
9.16.32-S1 + + + + + + + + + + + + + + + + + +
9.16.31-S1 + + + + + + + + + + + + + + + + + +
9.16.30-S1 + + + + + + + + + + + + + + + + + +
9.16.29-S1 + + + + + + + + + + + + + + + + + +
9.16.28-S1 + + + + + + + + + + + + + + + + + +
9.16.27-S1 + + + + + + + + + + + + + + + + + +
9.16.26-S1 + + + + + + + + + + + + + + + + + + + +
9.16.25-S1 + + + + + + + + + + + + + + + + + + + +
9.16.24-S1 + + + + + + + + + + + + + + + + + + + +
9.16.23-S1 + + + + + + + + + + + + + + + + + + + +
9.16.22-S1 + + + + + + + + + + + + + + + + + + + +
9.16.21-S1 + + + + + + + + + + + + + + + + + + + + +
9.16.20-S1 + + + + + + + + + + + + + + + + + + + + +
9.16.19-S1 + + + + + + + + + + + + + + + + + + + + + +
9.16.18-S1 + + + + + + + + + + + + + + + + + + + + +
9.16.17-S1 + + + + + + + + + + + + + + + + + + + + +
9.16.16-S1 + + + + + + + + + + + + + + + + + + + + +
9.16.15-S1 + + + + + + + + + + + + + + + + + + + + +
9.16.14-S1 + + + + + + + + + + + + + +
9.16.13-S1 + + + + + + + + + + + + + + + + + + + + + + +
9.16.12-S1 + + + + + + + + + + + + + + + + + + + + + + +
9.16.11-S1 + + + + + + + + + + + + + + + + + + + + + +
9.16.10-S1 + + + + + + + + + + + + + +
9.16.9-S1 + + + + + + + + + + + + + + + + + + + + +
9.16.8-S1 + + + + + + + + + + + + + + + + + + + + +