---
title: "List of BIND Security Advisories"
slug: "all-bind-advisories"
description: "This is a complete list of all BIND security advisories, both current and historical. Advisories apply only to particular versions of BIND."
updated: 2026-06-01T13:06:32Z
published: 2026-06-01T13:06:32Z
canonical: "kb.isc.org/all-bind-advisories"
---

> ## Documentation Index
> Fetch the complete documentation index at: https://kb.isc.org/llms.txt
> Use this file to discover all available pages before exploring further.

# List of BIND Security Advisories

## Introduction

This is a complete list of all BIND security advisories, both current and historical. Advisories apply only to particular versions of BIND, and this list makes no attempt to differentiate.

For information on ***which versions*** are vulnerable, see the [BIND 9 Software Vulnerability Matrix](/docs/aa-00913) instead.

Advisories are listed by date, most recent first. The release date is the date of public disclosure. In this table, release dates prior to 2022 may not be entirely accurate; the individual advisories should be checked to confirm.

## Advisories

| CVE ID | Title | Released |
| --- | --- | --- |
| [CVE-2026-3119](/docs/cve-2026-3119) | Authenticated query containing a TKEY record may cause named to terminate unexpectedly | 2026-03-25 |
| [CVE-2026-3104](/docs/cve-2026-3104) | Memory leak in code preparing DNSSEC proofs of non-existence | 2026-03-25 |
| [CVE-2026-1519](/docs/cve-2026-1519) | Excessive NSEC3 iterations cause high CPU load during insecure delegation validation | 2026-03-25 |
| [CVE-2025-8677](/docs/cve-2025-8677) | Resource exhaustion via malformed DNSKEY handling | 2026-01-21 |
| [CVE-2025-40780](/docs/cve-2025-40780) | Cache poisoning due to weak PRNG | 2025-10-22 |
| [CVE-2025-40778](/docs/cve-2025-40778) | Cache poisoning attacks with unsolicited RRs | 2025-10-22 |
| [CVE-2025-40777](/docs/cve-2025-40777) | A possible assertion failure when using the 'stale-answer-client-timeout 0' option | 2025-07-24 |
| [CVE-2025-40776](/docs/cve-2025-40776) | Birthday Attack against Resolvers supporting ECS | 2025-07-16 |
| [CVE-2025-40775](/docs/cve-2025-40775) | DNS message with invalid TSIG causes an assertion failure | 2025-05-21 |
| [CVE-2025-13878](/docs/cve-2025-13878) | Malformed BRID/HHIT records can cause named to terminate unexpectedly | 2026-01-21 |
| [CVE-2024-4076](/docs/cve-2024-4076) | Assertion failure when serving both stale cache data and authoritative zone content | 2024-07-23 |
| [CVE-2024-28872](/docs/cve-2024-28872) | Incorrect TLS certificate validation can lead to escalated privileges | 2024-03-27 |
| [CVE-2024-1975](/docs/cve-2024-1975) | SIG(0) can be used to exhaust CPU resources | 2024-07-23 |
| [CVE-2024-1737](/docs/cve-2024-1737) | BIND's database will be slow if a very large number of RRs exist at the same name | 2024-07-23 |
| [CVE-2024-12705](/docs/cve-2024-12705) | DNS-over-HTTPS implementation suffers from multiple issues under heavy query load | 2025-01-29 |
| [CVE-2024-11187](/docs/cve-2024-11187) | Many records in the additional section cause CPU exhaustion | 2025-01-29 |
| [CVE-2024-0760](/docs/cve-2024-0760) | A flood of DNS messages over TCP may make the server unstable | 2024-07-23 |
| [CVE-2023-6516](/docs/cve-2023-6516) | Specific recursive query patterns may lead to an out-of-memory condition | 2024-02-13 |
| [CVE-2023-5680](/docs/cve-2023-5680) | Cleaning an ECS-enabled cache may cause excessive CPU load | 2024-02-13 |
| [CVE-2023-5679](/docs/cve-2023-5679) | Enabling both DNS64 and serve-stale may cause an assertion failure during recursive resolution | 2024-02-13 |
| [CVE-2023-5517](/docs/cve-2023-5517) | Querying RFC 1918 reverse zones may cause an assertion failure when nxdomain-redirect is enabled | 2024-02-13 |
| [CVE-2023-50868](/docs/cve-2023-50868) | Preparing an NSEC3 closest encloser proof can exhaust CPU resources | 2024-02-13 |
| [CVE-2023-50387](/docs/cve-2023-50387) | KeyTrap - Extreme CPU consumption in DNSSEC validator | 2024-02-13 |
| [CVE-2023-4408](/docs/cve-2023-4408) | Parsing large DNS messages may cause excessive CPU load | 2024-02-13 |
| [CVE-2023-4236](/docs/cve-2023-4236) | named may terminate unexpectedly under high DNS-over-TLS query load | 2023-09-20 |
| [CVE-2023-3341](/docs/cve-2023-3341) | A stack exhaustion flaw in control channel code may cause named to terminate unexpectedly | 2023-09-20 |
| [CVE-2023-2911](/docs/cve-2023-2911) | Exceeding the recursive-clients quota may cause named to terminate unexpectedly when stale-answer-client-timeout is set to 0 | 2023-06-21 |
| [CVE-2023-2829](/docs/cve-2023-2829) | Malformed NSEC records can cause named to terminate unexpectedly when synth-from-dnssec is enabled | 2023-06-21 |
| [CVE-2023-2828](/docs/cve-2023-2828) | named's configured cache size limit can be significantly exceeded | 2023-06-21 |
| [CVE-2022-3924](/docs/cve-2022-3924) | named configured to answer from stale cache may terminate unexpectedly at recursive-clients soft quota | 2023-01-25 |
| [CVE-2022-38178](/docs/cve-2022-38178) | Memory leaks in EdDSA DNSSEC verification code | 2022-09-21 |
| [CVE-2022-38177](/docs/cve-2022-38177) | Memory leak in ECDSA DNSSEC verification code | 2022-09-21 |
| [CVE-2022-3736](/docs/cve-2022-3736) | named configured to answer from stale cache may terminate unexpectedly while processing RRSIG queries | 2023-01-25 |
| [CVE-2022-3488](/docs/cve-2022-3488) | BIND Supported Preview Edition named may terminate unexpectedly when processing ECS options in repeated responses to iterative queries | 2023-01-25 |
| [CVE-2022-3094](/docs/cve-2022-3094) | An UPDATE message flood may cause named to exhaust all available memory | 2023-01-25 |
| [CVE-2022-3080](/docs/cve-2022-3080) | BIND 9 resolvers configured to answer from stale cache with zero stale-answer-client-timeout may terminate unexpectedly | 2022-09-21 |
| [CVE-2022-2906](/docs/cve-2022-2906) | Memory leaks in code handling Diffie-Hellman key exchange via TKEY RRs (OpenSSL 3.0.0+ only) | 2022-09-21 |
| [CVE-2022-2881](/docs/cve-2022-2881) | Buffer overread in statistics channel code | 2022-09-21 |
| [CVE-2022-2795](/docs/cve-2022-2795) | Processing large delegations may severely degrade resolver performance | 2022-09-21 |
| [CVE-2022-1183](/docs/cve-2022-1183) | Destroying a TLS session early causes assertion failure | 2022-05-18 |
| [CVE-2022-0667](/docs/cve-2022-0667) | Assertion failure on delayed DS lookup | 2022-03-16 |
| [CVE-2022-0635](/docs/cve-2022-0635) | DNAME insist with synth-from-dnssec enabled | 2022-03-16 |
| [CVE-2022-0396](/docs/cve-2022-0396) | DoS from specifically crafted TCP packets | 2022-03-16 |
| [CVE-2021-25220](/docs/cve-2021-25220) | DNS forwarders - cache poisoning vulnerability | 2022-03-16 |
| [CVE-2021-25219](/docs/cve-2021-25219) | Lame cache can be abused to severely degrade resolver performance | 2021 |
| [CVE-2021-25218](/docs/cve-2021-25218) | A too-strict assertion check could be triggered when responses in BIND 9.16.19 and 9.17.16 require UDP fragmentation if RRL is in use | 2021 |
| [CVE-2021-25216](/docs/cve-2021-25216) | A second vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack | 2021 |
| [CVE-2021-25215](/docs/cve-2021-25215) | An assertion check can fail while answering queries for DNAME records that require the DNAME to be processed to resolve itself | 2021 |
| [CVE-2021-25214](/docs/cve-2021-25214) | A broken inbound incremental zone update (IXFR) can cause named to terminate unexpectedly | 2021 |
| [CVE-2020-8625](/docs/cve-2020-8625) | A vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack | 2020 |
| [CVE-2020-8624](/docs/cve-2020-8624) | update-policy rules of type "subdomain" are enforced incorrectly | 2020 |
| [CVE-2020-8623](/docs/cve-2020-8623) | A flaw in native PKCS#11 code can lead to a remotely triggerable assertion failure in pk11.c | 2020 |
| [CVE-2020-8622](/docs/cve-2020-8622) | A truncated TSIG response can lead to an assertion failure | 2020 |
| [CVE-2020-8621](/docs/cve-2020-8621) | Attempting QNAME minimization after forwarding can lead to an assertion failure in resolver.c | 2020 |
| [CVE-2020-8620](/docs/cve-2020-8620) | A specially crafted large TCP payload can trigger an assertion failure in tcpdns.c | 2020 |
| [CVE-2020-8619](/docs/cve-2020-8619) | An asterisk character in an empty non-terminal can cause an assertion failure in rbtdb.c | 2020 |
| [CVE-2020-8618](/docs/cve-2020-8618) | A buffer boundary check assertion in rdataset.c can fail incorrectly during zone transfer | 2020 |
| [CVE-2020-8617](/docs/cve-2020-8617) | A logic error in code which checks TSIG validity can be used to trigger an assertion failure in tsig.c | 2020 |
| [CVE-2020-8616](/docs/cve-2020-8616) | BIND does not sufficiently limit the number of fetches performed when processing referrals | 2020 |
| [CVE-2019-6477](/docs/cve-2019-6477) | TCP-pipelined queries can bypass tcp-clients limit | 2019 |
| [CVE-2019-6476](/docs/cve-2019-6476) | An error in QNAME minimization code can cause BIND to exit with an assertion failure | 2019 |
| [CVE-2019-6475](/docs/cve-2019-6475) | A flaw in mirror zone validity checking can allow zone data to be spoofed | 2019 |
| [CVE-2019-6471](/docs/cve-2019-6471) | A race condition when discarding malformed packets can cause BIND to exit with an assertion failure | 2019 |
| [CVE-2019-6469](/docs/cve-2019-6469) | BIND Supported Preview Edition can exit with an assertion failure if ECS is in use | 2019 |
| [CVE-2019-6468](/docs/cve-2019-6468) | BIND Supported Preview Edition can exit with an assertion failure if nxdomain-redirect is used | 2019 |
| [CVE-2019-6467](/docs/cve-2019-6467) | An error in the nxdomain redirect feature can cause BIND to exit with an INSIST assertion failure in query.c | 2019 |
| [CVE-2019-6465](/docs/cve-2019-6465) | Zone transfer controls for writable DLZ zones were not effective | 2019 |
| [CVE-2018-5745](/docs/cve-2018-5745) | An assertion failure can occur if a trust anchor rolls over to an unsupported key algorithm when using managed-keys | 2018 |
| [CVE-2018-5744](/docs/cve-2018-5744) | A specially crafted packet can cause named to leak memory | 2018 |
| [CVE-2018-5743](/docs/cve-2018-5743) | Limiting simultaneous TCP clients is ineffective | 2018 |
| [CVE-2018-5741](/docs/cve-2018-5741) | Update policies krb5-subdomain and ms-subdomain | 2018 |
| [CVE-2018-5740](/docs/aa-01639) | A flaw in the "deny-answer-aliases" feature can cause an assertion failure in named | 2018 |
| [CVE-2018-5738](/docs/aa-01616) | Some versions of BIND can improperly permit recursive query service to unauthorized clients | 2018 |
| [CVE-2018-5737](/docs/aa-01606) | BIND 9.12's serve-stale implementation can cause an assertion failure in rbtdb.c or other undesirable behavior even if serve-stale is not enabled | 2018 |
| [CVE-2018-5736](/docs/aa-01602) | Multiple transfers of a zone in quick succession can cause an assertion failure in rbtdb.c | 2018 |
| [CVE-2018-5734](/docs/aa-01562) | A malformed request can trigger an assertion failure in badcache.c | 2018 |
| [CVE-2017-3145](/docs/aa-01542) | Improper fetch cleanup sequencing in the resolver can cause named to crash | 2017 |
| [CVE-2017-3143](/docs/aa-01503) | An error in TSIG authentication can permit unauthorized dynamic updates | 2017 |
| [CVE-2017-3142](/docs/aa-01504) | An error in TSIG authentication can permit unauthorized zone transfers | 2017 |
| [CVE-2017-3141](/docs/aa-01496) | Windows service and uninstall paths are not quoted when BIND is installed | 2017 |
| [CVE-2017-3140](/docs/aa-01495) | An error processing RPZ rules can cause named to loop endlessly after handling a query | 2017 |
| [CVE-2017-3138](/docs/aa-01471) | named exits with a REQUIRE assertion failure if it receives a null command string on its control channel | 2017 |
| [CVE-2017-3137](/docs/aa-01466) | A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME | 2017 |
| [CVE-2017-3136](/docs/aa-01465) | An error handling synthesized records could cause an assertion failure when using DNS64 with "break-dnssec yes;" | 2017 |
| [CVE-2017-3135](/docs/aa-01453) | Combination of DNS64 and RPZ Can Lead to Crash | 2017 |
| [CVE-2016-9778](/docs/aa-01442) | An error handling certain queries using the nxdomain-redirect feature could cause a REQUIRE assertion failure in db.c | 2016 |
| [CVE-2016-9444](/docs/aa-01441) | An unusually formed DS record response could cause an assertion failure | 2016 |
| [CVE-2016-9147](/docs/aa-01440) | An error handling a query response containing inconsistent DNSSEC information could cause an assertion failure | 2016 |
| [CVE-2016-9131](/docs/aa-01439) | A malformed response to an ANY query can cause an assertion failure during recursion | 2016 |
| [CVE-2016-8864](/docs/aa-01434) | A problem handling responses containing a DNAME answer can lead to an assertion failure | 2016 |
| [CVE-2016-2848](/docs/aa-01433) | A packet with malformed options can trigger an assertion failure in ISC BIND versions released prior to May 2013 and in packages derived from releases prior to that date | 2016 |
| [CVE-2016-2776](/docs/aa-01419) | Assertion Failure in buffer.c While Building Responses to a Specifically Constructed Request | 2016 |
| [CVE-2016-2775](/docs/aa-01393) | A query name which is too long can cause a segmentation fault in lwresd | 2016 |
| [CVE-2016-2088](/docs/aa-01351) | A response containing multiple DNS cookies causes servers with cookie support enabled to exit with an assertion failure | 2016 |
| [CVE-2016-1286](/docs/aa-01353) | A problem parsing resource record signatures for DNAME resource records can lead to an assertion failure in resolver.c or db.c | 2016 |
| [CVE-2016-1285](/docs/aa-01352) | An error parsing input received by the rndc control channel can cause an assertion failure in sexpr.c or alist.c | 2016 |
| [CVE-2016-1284](/docs/aa-01348) | A REQUIRE assertion failure in rdataset.c can be deliberately triggered in servers performing NXDOMAIN redirection | 2016 |
| [CVE-2015-8705](/docs/aa-01336) | Problems converting OPT resource records and ECS options to text format can cause BIND to terminate | 2015 |
| [CVE-2015-8704](/docs/aa-01335) | Specific APL data could trigger an INSIST in apl_42.c | 2015 |
| [CVE-2015-8461](/docs/aa-01319) | A race condition when handling socket errors can lead to an assertion failure in resolver.c | 2015 |
| [CVE-2015-8000](/docs/aa-01317) | Responses with a malformed class attribute can trigger an assertion failure in db.c | 2015 |
| [CVE-2015-5986](/docs/aa-01291) | An incorrect boundary check can trigger a REQUIRE assertion failure in openpgpkey_61.c | 2015 |
| [CVE-2015-5722](/docs/aa-01287) | Parsing malformed keys may cause BIND to exit due to a failed assertion in buffer.c | 2015 |
| [CVE-2015-5477](/docs/aa-01272) | An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure | 2015 |
| [CVE-2015-4620](/docs/aa-01267) | Specially Constructed Zone Data Can Cause a Resolver to Crash when Validating | 2015 |
| [CVE-2015-1349](/docs/aa-01235) | A Problem with Trust Anchor Management Can Cause named to Crash | 2015 |
| [CVE-2014-8680](/docs/aa-01217) | Defects in GeoIP features can cause BIND to crash | 2014 |
| [CVE-2014-8500](/docs/aa-01216) | A Defect in Delegation Handling Can Be Exploited to Crash BIND | 2014 |
| [CVE-2014-3859](/docs/aa-01166) | BIND named can crash due to a defect in EDNS printing processing | 2014 |
| [CVE-2014-3214](/docs/aa-01161) | A Defect in Prefetch Can Cause Recursive Servers to Crash | 2014 |
| [CVE-2014-0591](/docs/aa-01078) | A Crafted Query Against an NSEC3-signed Zone Can Crash BIND | 2014 |
| [CVE-2013-6230](/docs/aa-01062) | A Winsock API Bug Can Cause a Side-Effect Affecting BIND ACLs | 2013 |
| [CVE-2013-4854](/docs/aa-01015) | A specially crafted query can cause BIND to terminate abnormally | 2013 |
| [CVE-2013-3919](/docs/aa-00967) | A recursive resolver can be crashed by a query for a malformed zone | 2013 |
| [CVE-2013-2266](/docs/aa-00871) | A Maliciously Crafted Regular Expression Can Cause Memory Exhaustion in named | 2013 |
| [CVE-2012-5689](/docs/aa-00855) | BIND 9 with DNS64 enabled can unexpectedly terminate when resolving domains in RPZ | 2012 |
| [CVE-2012-5688](/docs/aa-00828) | BIND 9 servers using DNS64 can be crashed by a crafted query | 2012 |
| [CVE-2012-5166](/docs/aa-00801) | Specially crafted DNS data can cause a lockup in named | 2012 |
| [CVE-2012-4244](/docs/aa-00778) | A specially crafted Resource Record could cause named to terminate | 2012 |
| [CVE-2012-3868](/docs/aa-00730) | High TCP Query Load Can Trigger a Memory Leak in BIND 9 | 2012 |
| [CVE-2012-3817](/docs/aa-00729) | Heavy DNSSEC Validation Load Can Cause a "Bad Cache" Assertion Failure in BIND 9 | 2012 |
| [CVE-2012-1667](/docs/aa-00698) | Handling of zero length rdata can cause named to terminate unexpectedly | 2012 |
| [CVE-2012-1033](/docs/aa-00691) | Ghost Domain Names: Revoked Yet Still Resolvable | 2012 |
| [CVE-2011-4313](/docs/aa-00544) | BIND 9 Resolver crashes after logging an error in query.c | 2011 |
| [CVE-2011-2465](/docs/aa-00458) | ISC BIND 9 Remote Crash With Certain RPZ Configurations | 2011 |
| [CVE-2011-2464](/docs/aa-00457) | ISC BIND 9 Remote Packet Denial of Service Against Authoritative and Recursive Servers | 2011 |
| [CVE-2011-1910](/docs/aa-00459) | Large RRSIG RRsets and Negative Caching Can Crash named | 2011 |
| [CVE-2011-1907](/docs/aa-00460) | RRSIG Queries Can Trigger Server Crash When Using Response Policy Zones | 2011 |
| [CVE-2011-0414](/docs/aa-00461) | BIND -- Server Lockup Upon IXFR or DDNS Update Combined With High Query Rate | 2011 |
| [CVE-2010-3762](/docs/aa-00935) | failure to handle bad signatures if multiple trust anchors configured | 2010 |
| [CVE-2010-3615](/docs/aa-00937) | allow-query processed incorrectly | 2010 |
| [CVE-2010-3614](/docs/aa-00936) | Key algorithm rollover bug in BIND 9 | 2010 |
| [CVE-2010-3613](/docs/aa-00938) | cache incorrectly allows a ncache entry and a rrsig for the same type | 2010 |
| [CVE-2010-0218](/docs/aa-00934) | Unexpected ACL Behavior in BIND 9.7.2 | 2010 |
| [CVE-2010-0213](/docs/aa-00933) | RRSIG query handling bug in BIND 9.7.1 | 2010 |
| [CVE-2010-0097](/docs/aa-00932) | BIND 9 DNSSEC validation code could cause bogus NXDOMAIN responses | 2010 |
| [CVE-2009-4022](/docs/aa-00931) | BIND 9 Cache Update from Additional Section | 2009 |
| [CVE-2009-0696](/docs/aa-00926) | BIND Dynamic Update DoS | 2009 |
| [CVE-2009-0025](/docs/aa-00925) | EVP_VerifyFinal() and DSA_do_verify() return checks | 2009 |
| [CVE-2008-1447](/docs/aa-00924) | DNS Cache Poisoning Issue ("Kaminsky bug") | 2008 |
| [CVE-2008-0122](/docs/aa-00923) | Buffer overflow in inet_network() | 2008 |
| [CVE-2007-2930](/docs/aa-00922) | cryptographically weak DNS query IDs (BIND 8) | 2007 |
| [CVE-2007-2926](/docs/aa-00921) | cryptographically weak query ids | 2007 |
| [CVE-2007-2925](/docs/aa-00920) | allow-query-cache/allow-recursion default acls not set | 2007 |
| [CVE-2007-2241](/docs/aa-00919) | Sequence of queries can cause a recursive nameserver to exit | 2007 |
| [CVE-2007-0494](/docs/aa-00918) | Denial of service via ANY query response containing multiple RRsets. | 2007 |
| [CVE-2007-0493](/docs/aa-00917) | Denial of service via unspecified vectors that cause "dereference a freed fetch context" | 2007 |
| [CVE-2006-4096](/docs/cve-2006-4096) | BIND vulnerable to an INSIST failure via sending of multiple recursive queries | 2006 |
| [CVE-2006-4095](/docs/aa-00916) | Assertion failure when querying for SIG records | 2006 |
| [CVE-2005-0034](/docs/aa-00958) | BIND: Self-check failing | 2005 |
| [CVE-2005-0033](/docs/aa-00957) | BIND: q_usedns array overrun | 2005 |
| [CVE-2003-0914](/docs/aa-00956) | BIND: Negative Cache DOS (negcache) | 2003 |
| [CVE-2002-1221](/docs/aa-00954) | BIND 8 fails to properly dereference cache SIG RR elements with invalid expiry times | 2002 |
| [CVE-2002-1220](/docs/aa-00953) | Assertion failure with large UDP size for nonexistent subdomain | 2002 |
| [CVE-2002-1219](/docs/aa-00955) | BIND: Remote Execution of Code (sigrec) | 2002 |
| [CVE-2002-0651](/docs/aa-00951) | libbind buffer overflow | 2002 |
| [CVE-2002-0400](/docs/aa-00950) | DoS internal consistency check (DoS_findtype) | 2002 |
| [CVE-2001-0013](/docs/aa-00947) | Format string vulnerability in nslookupComplain() | 2001-01-29 |
| [CVE-2001-0012](/docs/aa-00949) | Infoleak | 2001-01-29 |
| [CVE-2001-0011](/docs/aa-00948) | Buffer overflow in nslookupComplain() | 2001-01-29 |
| [CVE-2001-0010](/docs/aa-00946) | tsig bug | 2001-01-29 |
| [CVE-2000-0887](/docs/aa-00945) | zxfr bug | 2000-11-10 |
| [CVE-2000-0888](/docs/aa-00944) | srv bug | 2000-11-07 |
| [CVE-1999-0851](/docs/aa-00941) | naptr bug | 1999-11-11 |
| [CVE-1999-0848](/docs/aa-00943) | fdmax bug | 1999-11-11 |
| [CVE-1999-0835](/docs/aa-00942) | sig bug | 1999-11-11 |
| [CVE-1999-0849](/docs/aa-00940) | maxdname bug | 1999-11-10 |
| [CVE-1999-0833](/docs/aa-00939) | nxt bug | 1999-11-08 |