Introduction
This is a complete list of all BIND security advisories, both current and historical. Advisories apply only to particular versions of BIND, and this list makes no attempt to differentiate.
For information on which versions are vulnerable, see the BIND 9 Software Vulnerability Matrix instead.
Advisories are listed by date, most recent first. The release date is the date of public disclosure. In this table, release dates prior to 2022 may not be entirely accurate; the individual advisories should be checked to confirm.
Advisories
| CVE ID | Title | Released |
|---|---|---|
| CVE-2026-3119 | Authenticated query containing a TKEY record may cause named to terminate unexpectedly | 2026-03-25 |
| CVE-2026-3104 | Memory leak in code preparing DNSSEC proofs of non-existence | 2026-03-25 |
| CVE-2026-1519 | Excessive NSEC3 iterations cause high CPU load during insecure delegation validation | 2026-03-25 |
| CVE-2025-8677 | Resource exhaustion via malformed DNSKEY handling | 2026-01-21 |
| CVE-2025-40780 | Cache poisoning due to weak PRNG | 2025-10-22 |
| CVE-2025-40778 | Cache poisoning attacks with unsolicited RRs | 2025-10-22 |
| CVE-2025-40777 | A possible assertion failure when using the 'stale-answer-client-timeout 0' option | 2025-07-24 |
| CVE-2025-40776 | Birthday Attack against Resolvers supporting ECS | 2025-07-16 |
| CVE-2025-40775 | DNS message with invalid TSIG causes an assertion failure | 2025-05-21 |
| CVE-2025-13878 | Malformed BRID/HHIT records can cause named to terminate unexpectedly | 2026-01-21 |
| CVE-2024-4076 | Assertion failure when serving both stale cache data and authoritative zone content | 2024-07-23 |
| CVE-2024-28872 | Incorrect TLS certificate validation can lead to escalated privileges | 2024-03-27 |
| CVE-2024-1975 | SIG(0) can be used to exhaust CPU resources | 2024-07-23 |
| CVE-2024-1737 | BIND's database will be slow if a very large number of RRs exist at the same name | 2024-07-23 |
| CVE-2024-12705 | DNS-over-HTTPS implementation suffers from multiple issues under heavy query load | 2025-01-29 |
| CVE-2024-11187 | Many records in the additional section cause CPU exhaustion | 2025-01-29 |
| CVE-2024-0760 | A flood of DNS messages over TCP may make the server unstable | 2024-07-23 |
| CVE-2023-6516 | Specific recursive query patterns may lead to an out-of-memory condition | 2024-02-13 |
| CVE-2023-5680 | Cleaning an ECS-enabled cache may cause excessive CPU load | 2024-02-13 |
| CVE-2023-5679 | Enabling both DNS64 and serve-stale may cause an assertion failure during recursive resolution | 2024-02-13 |
| CVE-2023-5517 | Querying RFC 1918 reverse zones may cause an assertion failure when nxdomain-redirect is enabled | 2024-02-13 |
| CVE-2023-50868 | Preparing an NSEC3 closest encloser proof can exhaust CPU resources | 2024-02-13 |
| CVE-2023-50387 | KeyTrap - Extreme CPU consumption in DNSSEC validator | 2024-02-13 |
| CVE-2023-4408 | Parsing large DNS messages may cause excessive CPU load | 2024-02-13 |
| CVE-2023-4236 | named may terminate unexpectedly under high DNS-over-TLS query load | 2023-09-20 |
| CVE-2023-3341 | A stack exhaustion flaw in control channel code may cause named to terminate unexpectedly | 2023-09-20 |
| CVE-2023-2911 | Exceeding the recursive-clients quota may cause named to terminate unexpectedly when stale-answer-client-timeout is set to 0 | 2023-06-21 |
| CVE-2023-2829 | Malformed NSEC records can cause named to terminate unexpectedly when synth-from-dnssec is enabled | 2023-06-21 |
| CVE-2023-2828 | named's configured cache size limit can be significantly exceeded | 2023-06-21 |
| CVE-2022-3924 | named configured to answer from stale cache may terminate unexpectedly at recursive-clients soft quota | 2023-01-25 |
| CVE-2022-38178 | Memory leaks in EdDSA DNSSEC verification code | 2022-09-21 |
| CVE-2022-38177 | Memory leak in ECDSA DNSSEC verification code | 2022-09-21 |
| CVE-2022-3736 | named configured to answer from stale cache may terminate unexpectedly while processing RRSIG queries | 2023-01-25 |
| CVE-2022-3488 | BIND Supported Preview Edition named may terminate unexpectedly when processing ECS options in repeated responses to iterative queries | 2023-01-25 |
| CVE-2022-3094 | An UPDATE message flood may cause named to exhaust all available memory | 2023-01-25 |
| CVE-2022-3080 | BIND 9 resolvers configured to answer from stale cache with zero stale-answer-client-timeout may terminate unexpectedly | 2022-09-21 |
| CVE-2022-2906 | Memory leaks in code handling Diffie-Hellman key exchange via TKEY RRs (OpenSSL 3.0.0+ only) | 2022-09-21 |
| CVE-2022-2881 | Buffer overread in statistics channel code | 2022-09-21 |
| CVE-2022-2795 | Processing large delegations may severely degrade resolver performance | 2022-09-21 |
| CVE-2022-1183 | Destroying a TLS session early causes assertion failure | 2022-05-18 |
| CVE-2022-0667 | Assertion failure on delayed DS lookup | 2022-03-16 |
| CVE-2022-0635 | DNAME insist with synth-from-dnssec enabled | 2022-03-16 |
| CVE-2022-0396 | DoS from specifically crafted TCP packets | 2022-03-16 |
| CVE-2021-25220 | DNS forwarders - cache poisoning vulnerability | 2022-03-16 |
| CVE-2021-25219 | Lame cache can be abused to severely degrade resolver performance | 2021 |
| CVE-2021-25218 | A too-strict assertion check could be triggered when responses in BIND 9.16.19 and 9.17.16 require UDP fragmentation if RRL is in use | 2021 |
| CVE-2021-25216 | A second vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack | 2021 |
| CVE-2021-25215 | An assertion check can fail while answering queries for DNAME records that require the DNAME to be processed to resolve itself | 2021 |
| CVE-2021-25214 | A broken inbound incremental zone update (IXFR) can cause named to terminate unexpectedly | 2021 |
| CVE-2020-8625 | A vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack | 2020 |
| CVE-2020-8624 | update-policy rules of type "subdomain" are enforced incorrectly | 2020 |
| CVE-2020-8623 | A flaw in native PKCS#11 code can lead to a remotely triggerable assertion failure in pk11.c | 2020 |
| CVE-2020-8622 | A truncated TSIG response can lead to an assertion failure | 2020 |
| CVE-2020-8621 | Attempting QNAME minimization after forwarding can lead to an assertion failure in resolver.c | 2020 |
| CVE-2020-8620 | A specially crafted large TCP payload can trigger an assertion failure in tcpdns.c | 2020 |
| CVE-2020-8619 | An asterisk character in an empty non-terminal can cause an assertion failure in rbtdb.c | 2020 |
| CVE-2020-8618 | A buffer boundary check assertion in rdataset.c can fail incorrectly during zone transfer | 2020 |
| CVE-2020-8617 | A logic error in code which checks TSIG validity can be used to trigger an assertion failure in tsig.c | 2020 |
| CVE-2020-8616 | BIND does not sufficiently limit the number of fetches performed when processing referrals | 2020 |
| CVE-2019-6477 | TCP-pipelined queries can bypass tcp-clients limit | 2019 |
| CVE-2019-6476 | An error in QNAME minimization code can cause BIND to exit with an assertion failure | 2019 |
| CVE-2019-6475 | A flaw in mirror zone validity checking can allow zone data to be spoofed | 2019 |
| CVE-2019-6471 | A race condition when discarding malformed packets can cause BIND to exit with an assertion failure | 2019 |
| CVE-2019-6469 | BIND Supported Preview Edition can exit with an assertion failure if ECS is in use | 2019 |
| CVE-2019-6468 | BIND Supported Preview Edition can exit with an assertion failure if nxdomain-redirect is used | 2019 |
| CVE-2019-6467 | An error in the nxdomain redirect feature can cause BIND to exit with an INSIST assertion failure in query.c | 2019 |
| CVE-2019-6465 | Zone transfer controls for writable DLZ zones were not effective | 2019 |
| CVE-2018-5745 | An assertion failure can occur if a trust anchor rolls over to an unsupported key algorithm when using managed-keys | 2018 |
| CVE-2018-5744 | A specially crafted packet can cause named to leak memory | 2018 |
| CVE-2018-5743 | Limiting simultaneous TCP clients is ineffective | 2018 |
| CVE-2018-5741 | Update policies krb5-subdomain and ms-subdomain | 2018 |
| CVE-2018-5740 | A flaw in the "deny-answer-aliases" feature can cause an assertion failure in named | 2018 |
| CVE-2018-5738 | Some versions of BIND can improperly permit recursive query service to unauthorized clients | 2018 |
| CVE-2018-5737 | BIND 9.12's serve-stale implementation can cause an assertion failure in rbtdb.c or other undesirable behavior even if serve-stale is not enabled | 2018 |
| CVE-2018-5736 | Multiple transfers of a zone in quick succession can cause an assertion failure in rbtdb.c | 2018 |
| CVE-2018-5734 | A malformed request can trigger an assertion failure in badcache.c | 2018 |
| CVE-2017-3145 | Improper fetch cleanup sequencing in the resolver can cause named to crash | 2017 |
| CVE-2017-3143 | An error in TSIG authentication can permit unauthorized dynamic updates | 2017 |
| CVE-2017-3142 | An error in TSIG authentication can permit unauthorized zone transfers | 2017 |
| CVE-2017-3141 | Windows service and uninstall paths are not quoted when BIND is installed | 2017 |
| CVE-2017-3140 | An error processing RPZ rules can cause named to loop endlessly after handling a query | 2017 |
| CVE-2017-3138 | named exits with a REQUIRE assertion failure if it receives a null command string on its control channel | 2017 |
| CVE-2017-3137 | A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME | 2017 |
| CVE-2017-3136 | An error handling synthesized records could cause an assertion failure when using DNS64 with "break-dnssec yes;" | 2017 |
| CVE-2017-3135 | Combination of DNS64 and RPZ Can Lead to Crash | 2017 |
| CVE-2016-9778 | An error handling certain queries using the nxdomain-redirect feature could cause a REQUIRE assertion failure in db.c | 2016 |
| CVE-2016-9444 | An unusually formed DS record response could cause an assertion failure | 2016 |
| CVE-2016-9147 | An error handling a query response containing inconsistent DNSSEC information could cause an assertion failure | 2016 |
| CVE-2016-9131 | A malformed response to an ANY query can cause an assertion failure during recursion | 2016 |
| CVE-2016-8864 | A problem handling responses containing a DNAME answer can lead to an assertion failure | 2016 |
| CVE-2016-2848 | A packet with malformed options can trigger an assertion failure in ISC BIND versions released prior to May 2013 and in packages derived from releases prior to that date | 2016 |
| CVE-2016-2776 | Assertion Failure in buffer.c While Building Responses to a Specifically Constructed Request | 2016 |
| CVE-2016-2775 | A query name which is too long can cause a segmentation fault in lwresd | 2016 |
| CVE-2016-2088 | A response containing multiple DNS cookies causes servers with cookie support enabled to exit with an assertion failure | 2016 |
| CVE-2016-1286 | A problem parsing resource record signatures for DNAME resource records can lead to an assertion failure in resolver.c or db.c | 2016 |
| CVE-2016-1285 | An error parsing input received by the rndc control channel can cause an assertion failure in sexpr.c or alist.c | 2016 |
| CVE-2016-1284 | A REQUIRE assertion failure in rdataset.c can be deliberately triggered in servers performing NXDOMAIN redirection | 2016 |
| CVE-2015-8705 | Problems converting OPT resource records and ECS options to text format can cause BIND to terminate | 2015 |
| CVE-2015-8704 | Specific APL data could trigger an INSIST in apl_42.c | 2015 |
| CVE-2015-8461 | A race condition when handling socket errors can lead to an assertion failure in resolver.c | 2015 |
| CVE-2015-8000 | Responses with a malformed class attribute can trigger an assertion failure in db.c | 2015 |
| CVE-2015-5986 | An incorrect boundary check can trigger a REQUIRE assertion failure in openpgpkey_61.c | 2015 |
| CVE-2015-5722 | Parsing malformed keys may cause BIND to exit due to a failed assertion in buffer.c | 2015 |
| CVE-2015-5477 | An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure | 2015 |
| CVE-2015-4620 | Specially Constructed Zone Data Can Cause a Resolver to Crash when Validating | 2015 |
| CVE-2015-1349 | A Problem with Trust Anchor Management Can Cause named to Crash | 2015 |
| CVE-2014-8680 | Defects in GeoIP features can cause BIND to crash | 2014 |
| CVE-2014-8500 | A Defect in Delegation Handling Can Be Exploited to Crash BIND | 2014 |
| CVE-2014-3859 | BIND named can crash due to a defect in EDNS printing processing | 2014 |
| CVE-2014-3214 | A Defect in Prefetch Can Cause Recursive Servers to Crash | 2014 |
| CVE-2014-0591 | A Crafted Query Against an NSEC3-signed Zone Can Crash BIND | 2014 |
| CVE-2013-6230 | A Winsock API Bug Can Cause a Side-Effect Affecting BIND ACLs | 2013 |
| CVE-2013-4854 | A specially crafted query can cause BIND to terminate abnormally | 2013 |
| CVE-2013-3919 | A recursive resolver can be crashed by a query for a malformed zone | 2013 |
| CVE-2013-2266 | A Maliciously Crafted Regular Expression Can Cause Memory Exhaustion in named | 2013 |
| CVE-2012-5689 | BIND 9 with DNS64 enabled can unexpectedly terminate when resolving domains in RPZ | 2012 |
| CVE-2012-5688 | BIND 9 servers using DNS64 can be crashed by a crafted query | 2012 |
| CVE-2012-5166 | Specially crafted DNS data can cause a lockup in named | 2012 |
| CVE-2012-4244 | A specially crafted Resource Record could cause named to terminate | 2012 |
| CVE-2012-3868 | High TCP Query Load Can Trigger a Memory Leak in BIND 9 | 2012 |
| CVE-2012-3817 | Heavy DNSSEC Validation Load Can Cause a "Bad Cache" Assertion Failure in BIND 9 | 2012 |
| CVE-2012-1667 | Handling of zero length rdata can cause named to terminate unexpectedly | 2012 |
| CVE-2012-1033 | Ghost Domain Names: Revoked Yet Still Resolvable | 2012 |
| CVE-2011-4313 | BIND 9 Resolver crashes after logging an error in query.c | 2011 |
| CVE-2011-2465 | ISC BIND 9 Remote Crash With Certain RPZ Configurations | 2011 |
| CVE-2011-2464 | ISC BIND 9 Remote Packet Denial of Service Against Authoritative and Recursive Servers | 2011 |
| CVE-2011-1910 | Large RRSIG RRsets and Negative Caching Can Crash named | 2011 |
| CVE-2011-1907 | RRSIG Queries Can Trigger Server Crash When Using Response Policy Zones | 2011 |
| CVE-2011-0414 | BIND -- Server Lockup Upon IXFR or DDNS Update Combined With High Query Rate | 2011 |
| CVE-2010-3762 | failure to handle bad signatures if multiple trust anchors configured | 2010 |
| CVE-2010-3615 | allow-query processed incorrectly | 2010 |
| CVE-2010-3614 | Key algorithm rollover bug in BIND 9 | 2010 |
| CVE-2010-3613 | cache incorrectly allows a ncache entry and a rrsig for the same type | 2010 |
| CVE-2010-0218 | Unexpected ACL Behavior in BIND 9.7.2 | 2010 |
| CVE-2010-0213 | RRSIG query handling bug in BIND 9.7.1 | 2010 |
| CVE-2010-0097 | BIND 9 DNSSEC validation code could cause bogus NXDOMAIN responses | 2010 |
| CVE-2009-4022 | BIND 9 Cache Update from Additional Section | 2009 |
| CVE-2009-0696 | BIND Dynamic Update DoS | 2009 |
| CVE-2009-0025 | EVP_VerifyFinal() and DSA_do_verify() return checks | 2009 |
| CVE-2008-1447 | DNS Cache Poisoning Issue ("Kaminsky bug") | 2008 |
| CVE-2008-0122 | Buffer overflow in inet_network() | 2008 |
| CVE-2007-2930 | cryptographically weak DNS query IDs (BIND 8) | 2007 |
| CVE-2007-2926 | cryptographically weak query ids | 2007 |
| CVE-2007-2925 | allow-query-cache/allow-recursion default acls not set | 2007 |
| CVE-2007-2241 | Sequence of queries can cause a recursive nameserver to exit | 2007 |
| CVE-2007-0494 | Denial of service via ANY query response containing multiple RRsets. | 2007 |
| CVE-2007-0493 | Denial of service via unspecified vectors that cause "dereference a freed fetch context" | 2007 |
| CVE-2006-4096 | BIND vulnerable to an INSIST failure via sending of multiple recursive queries | 2006 |
| CVE-2006-4095 | Assertion failure when querying for SIG records | 2006 |
| CVE-2005-0034 | BIND: Self-check failing | 2005 |
| CVE-2005-0033 | BIND: q_usedns array overrun | 2005 |
| CVE-2003-0914 | BIND: Negative Cache DOS (negcache) | 2003 |
| CVE-2002-1221 | BIND 8 fails to properly dereference cache SIG RR elements with invalid expiry times | 2002 |
| CVE-2002-1220 | Assertion failure with large UDP size for nonexistent subdomain | 2002 |
| CVE-2002-1219 | BIND: Remote Execution of Code (sigrec) | 2002 |
| CVE-2002-0651 | libbind buffer overflow | 2002 |
| CVE-2002-0400 | DoS internal consistency check (DoS_findtype) | 2002 |
| CVE-2001-0013 | Format string vulnerability in nslookupComplain() | 2001-01-29 |
| CVE-2001-0012 | Infoleak | 2001-01-29 |
| CVE-2001-0011 | Buffer overflow in nslookupComplain() | 2001-01-29 |
| CVE-2001-0010 | tsig bug | 2001-01-29 |
| CVE-2000-0887 | zxfr bug | 2000-11-10 |
| CVE-2000-0888 | srv bug | 2000-11-07 |
| CVE-1999-0851 | naptr bug | 1999-11-11 |
| CVE-1999-0848 | fdmax bug | 1999-11-11 |
| CVE-1999-0835 | sig bug | 1999-11-11 |
| CVE-1999-0849 | maxdname bug | 1999-11-10 |
| CVE-1999-0833 | nxt bug | 1999-11-08 |