Vulnerability-Lookup

RHSA-2026:6935

Vulnerability from csaf_redhat - Published: 2026-04-07 23:30 - Updated: 2026-04-19 19:41

Summary

Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update

Severity

Important

Notes

Topic: An update for Red Hat Hardened Images RPMs is now available.

Details: This update includes the following RPMs:

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2025-8677

A vulnerability was found in BIND 9 resolvers, where processing malformed DNSKEY records from a specially crafted zone can lead to resource exhaustion, primarily causing excessive CPU utilization. This issue enables a remote, unauthenticated attacker to degrade resolver performance and potentially cause a denial of service (DoS) for legitimate DNS clients.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 - Uncontrolled Resource Consumption

Vendor Fix For details on how to apply this update, which includes the changes described in this advisory, refer to: https://images.redhat.com/ https://access.redhat.com/errata/RHSA-2026:6935

Workaround Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. To reduce risk, restrict recursive queries to trusted or internal networks only, and apply rate limiting or firewall rules to prevent excessive or repetitive requests. Enabling DNSSEC validation helps reject forged records, while isolating recursive resolvers from authoritative servers limits the impact of potential cache poisoning. Active monitoring of CPU usage, query volume, and cache anomalies can provide early warning of abuse or attacks.

CVE-2025-13878

A flaw was found in bind. A remote attacker can send a specially crafted request that results in a corrupt or malicious record, causing the 'named' service to crash. This vulnerability leads to a Denial of Service (DoS) for authoritative servers and resolvers.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-1286 - Improper Validation of Syntactic Correctness of Input

Vendor Fix For details on how to apply this update, which includes the changes described in this advisory, refer to: https://images.redhat.com/ https://access.redhat.com/errata/RHSA-2026:6935

CVE-2025-40778

A vulnerability exists in BIND’s DNS resolver logic that makes it overly permissive when accepting resource records (RRs) in responses. Under certain conditions, this flaw allows attackers to inject unsolicited or forged DNS records into the cache. This can be exploited to poison the resolver cache, redirecting clients to malicious domains or unauthorized servers.

8.6 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

CWE-347 - Improper Verification of Cryptographic Signature

Vendor Fix For details on how to apply this update, which includes the changes described in this advisory, refer to: https://images.redhat.com/ https://access.redhat.com/errata/RHSA-2026:6935

Workaround While it is not possible to eliminate risk from this vulnerability, there are several options for reducing the risk. These include restricting recursive queries to trusted or internal networks only, and apply rate limiting or firewall rules to prevent excessive or repetitive requests. Enabling DNSSEC validation helps reject forged records, while isolating recursive resolvers from authoritative servers limits the impact of potential cache poisoning. Active monitoring of CPU usage, query volume, and cache anomalies can provide early warning of abuse or attacks.

CVE-2025-40780

A vulnerability was found in BIND resolvers caused by a weakness in the Pseudo Random Number Generator (PRNG). This weakness allows an attacker to potentially predict the source port and query ID used by BIND, enabling cache poisoning attacks. If successful, the attacker can inject malicious DNS responses into the resolver’s cache, causing clients to receive spoofed DNS data. Authoritative servers are generally unaffected, but recursive resolvers are exposed to this risk. Exploitation is remote and does not require user interaction.

8.6 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Vendor Fix For details on how to apply this update, which includes the changes described in this advisory, refer to: https://images.redhat.com/ https://access.redhat.com/errata/RHSA-2026:6935

CVE-2026-1519

A flaw was found in BIND. A remote attacker could exploit this vulnerability by sending a maliciously crafted DNSSEC-validated zone to a BIND resolver. This could cause the resolver to consume excessive CPU resources, leading to a denial of service (DoS) for legitimate users.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Vendor Fix For details on how to apply this update, which includes the changes described in this advisory, refer to: https://images.redhat.com/ https://access.redhat.com/errata/RHSA-2026:6935

Workaround To mitigate this issue, disable DNSSEC validation on affected BIND resolvers. Alternatively, configure the BIND server as authoritative-only if recursive queries are not required. Disabling DNSSEC validation may reduce the security posture of the DNS resolver. A restart of the BIND service (`named`) is required for these changes to take effect and may temporarily interrupt DNS resolution.

CVE-2026-3104

A flaw was found in the BIND resolver. A remote attacker can exploit this vulnerability by querying a specially crafted domain, which causes a memory leak. This memory leak can lead to a Denial of Service (DoS) condition, making the BIND resolver unavailable to legitimate users.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-772 - Missing Release of Resource after Effective Lifetime

Vendor Fix For details on how to apply this update, which includes the changes described in this advisory, refer to: https://images.redhat.com/ https://access.redhat.com/errata/RHSA-2026:6935

Workaround To mitigate this issue, restrict access to the BIND resolver to trusted clients only. This can be achieved by configuring firewall rules to limit inbound connections to port 53 (UDP/TCP) from known, authorized IP addresses or networks. Alternatively, configure BIND to listen only on specific trusted interfaces or localhost. Example using firewalld: `firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="<TRUSTED_IP_OR_NETWORK>" port port=53 protocol="udp" accept'` `firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="<TRUSTED_IP_OR_NETWORK>" port port=53 protocol="tcp" accept'` `firewall-cmd --reload` After applying changes, a restart of the BIND service may be required for the new configuration to take full effect. This may temporarily interrupt DNS resolution services.

CVE-2026-3119

A flaw was found in BIND, specifically within the `named` daemon. An authenticated remote attacker, possessing a valid Transaction Signature (TSIG) key configured on the server, could send a specially crafted query containing a TKEY record. This action may cause the `named` daemon to crash, leading to a Denial of Service (DoS) for the affected DNS service.

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-237 - Improper Handling of Structural Elements

Vendor Fix For details on how to apply this update, which includes the changes described in this advisory, refer to: https://images.redhat.com/ https://access.redhat.com/errata/RHSA-2026:6935

Workaround To mitigate this issue, restrict access to the `named` service to only trusted networks and clients. If Transaction Signature (TSIG) keys are not actively used or required, consider disabling them in the BIND configuration. If TSIG keys are necessary, ensure they are securely managed and only distributed to authorized clients. After making configuration changes, a restart of the `named` service may be required to apply the changes, which could temporarily impact DNS resolution.

CVE-2026-3591

A flaw was found in BIND, specifically in the named server's handling of DNS queries signed with SIG(0). A remote attacker could exploit this use-after-return vulnerability by sending a specially-crafted DNS request. This could cause an Access Control List (ACL) to improperly match an IP address, potentially leading to unauthorized access to resources.

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE-825 - Expired Pointer Dereference

Vendor Fix For details on how to apply this update, which includes the changes described in this advisory, refer to: https://images.redhat.com/ https://access.redhat.com/errata/RHSA-2026:6935

Workaround Restrict network access to the `named` service to trusted clients and networks. Configure firewall rules to limit inbound connections to the DNS service port (UDP/TCP 53). For example, using `firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="<TRUSTED_IP_RANGE>" port port="53" protocol="udp" accept'` and `firewall-cmd --reload`. This action may impact DNS resolution for clients outside the specified trusted networks. A service reload or restart may be required for changes to take effect.

References

URL

Category

	https://access.redhat.com/errata/RHSA-2026:6935	self
	https://images.redhat.com/	external
	https://access.redhat.com/security/cve/CVE-2025-8677	external
	https://access.redhat.com/security/updates/classi…	external
	https://access.redhat.com/security/cve/CVE-2025-40780	external
	https://access.redhat.com/security/cve/CVE-2025-40778	external
	https://access.redhat.com/security/cve/CVE-2025-13878	external
	https://access.redhat.com/security/cve/CVE-2026-3591	external
	https://access.redhat.com/security/cve/CVE-2026-3119	external
	https://access.redhat.com/security/cve/CVE-2026-3104	external
	https://access.redhat.com/security/cve/CVE-2026-1519	external
	https://security.access.redhat.com/data/csaf/v2/a…	self
	https://access.redhat.com/security/cve/CVE-2025-8677	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2405830	external
	https://www.cve.org/CVERecord?id=CVE-2025-8677	external
	https://nvd.nist.gov/vuln/detail/CVE-2025-8677	external
	https://access.redhat.com/security/cve/CVE-2025-13878	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2431600	external
	https://www.cve.org/CVERecord?id=CVE-2025-13878	external
	https://nvd.nist.gov/vuln/detail/CVE-2025-13878	external
	https://access.redhat.com/security/cve/CVE-2025-40778	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2405827	external
	https://www.cve.org/CVERecord?id=CVE-2025-40778	external
	https://nvd.nist.gov/vuln/detail/CVE-2025-40778	external
	https://access.redhat.com/security/cve/CVE-2025-40780	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2405829	external
	https://www.cve.org/CVERecord?id=CVE-2025-40780	external
	https://nvd.nist.gov/vuln/detail/CVE-2025-40780	external
	https://access.redhat.com/security/cve/CVE-2026-1519	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2451305	external
	https://www.cve.org/CVERecord?id=CVE-2026-1519	external
	https://nvd.nist.gov/vuln/detail/CVE-2026-1519	external
	https://downloads.isc.org/isc/bind9/9.18.47	external
	https://downloads.isc.org/isc/bind9/9.20.21	external
	https://downloads.isc.org/isc/bind9/9.21.20	external
	https://kb.isc.org/docs/cve-2026-1519	external
	https://access.redhat.com/security/cve/CVE-2026-3104	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2451310	external
	https://www.cve.org/CVERecord?id=CVE-2026-3104	external
	https://nvd.nist.gov/vuln/detail/CVE-2026-3104	external
	https://kb.isc.org/docs/cve-2026-3104	external
	https://access.redhat.com/security/cve/CVE-2026-3119	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2451308	external
	https://www.cve.org/CVERecord?id=CVE-2026-3119	external
	https://nvd.nist.gov/vuln/detail/CVE-2026-3119	external
	https://kb.isc.org/docs/cve-2026-3119	external
	https://access.redhat.com/security/cve/CVE-2026-3591	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2451298	external
	https://www.cve.org/CVERecord?id=CVE-2026-3591	external
	https://nvd.nist.gov/vuln/detail/CVE-2026-3591	external
	https://kb.isc.org/docs/cve-2026-3591	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for Red Hat Hardened Images RPMs is now available.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "This update includes the following RPMs:",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:6935",
        "url": "https://access.redhat.com/errata/RHSA-2026:6935"
      },
      {
        "category": "external",
        "summary": "https://images.redhat.com/",
        "url": "https://images.redhat.com/"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-8677",
        "url": "https://access.redhat.com/security/cve/CVE-2025-8677"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-40780",
        "url": "https://access.redhat.com/security/cve/CVE-2025-40780"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-40778",
        "url": "https://access.redhat.com/security/cve/CVE-2025-40778"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-13878",
        "url": "https://access.redhat.com/security/cve/CVE-2025-13878"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-3591",
        "url": "https://access.redhat.com/security/cve/CVE-2026-3591"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-3119",
        "url": "https://access.redhat.com/security/cve/CVE-2026-3119"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-3104",
        "url": "https://access.redhat.com/security/cve/CVE-2026-3104"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-1519",
        "url": "https://access.redhat.com/security/cve/CVE-2026-1519"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_6935.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
    "tracking": {
      "current_release_date": "2026-04-19T19:41:47+00:00",
      "generator": {
        "date": "2026-04-19T19:41:47+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.5"
        }
      },
      "id": "RHSA-2026:6935",
      "initial_release_date": "2026-04-07T23:30:26+00:00",
      "revision_history": [
        {
          "date": "2026-04-07T23:30:26+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-04-18T19:59:49+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-04-19T19:41:47+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Hardened Images",
                "product": {
                  "name": "Red Hat Hardened Images",
                  "product_id": "Red Hat Hardened Images",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:hummingbird:1"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Hardened Images"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "bind-main@aarch64",
                "product": {
                  "name": "bind-main@aarch64",
                  "product_id": "bind-main@aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/bind@9.18.48-1.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "bind-main@src",
                "product": {
                  "name": "bind-main@src",
                  "product_id": "bind-main@src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/bind@9.18.48-1.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "bind-main@x86_64",
                "product": {
                  "name": "bind-main@x86_64",
                  "product_id": "bind-main@x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/bind@9.18.48-1.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "bind-main@noarch",
                "product": {
                  "name": "bind-main@noarch",
                  "product_id": "bind-main@noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/bind-doc@9.18.48-1.hum1?arch=noarch\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "bind-main@aarch64 as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:bind-main@aarch64"
        },
        "product_reference": "bind-main@aarch64",
        "relates_to_product_reference": "Red Hat Hardened Images"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "bind-main@noarch as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:bind-main@noarch"
        },
        "product_reference": "bind-main@noarch",
        "relates_to_product_reference": "Red Hat Hardened Images"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "bind-main@src as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:bind-main@src"
        },
        "product_reference": "bind-main@src",
        "relates_to_product_reference": "Red Hat Hardened Images"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "bind-main@x86_64 as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:bind-main@x86_64"
        },
        "product_reference": "bind-main@x86_64",
        "relates_to_product_reference": "Red Hat Hardened Images"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-8677",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2025-10-22T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2405830"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability was found in BIND 9 resolvers, where processing malformed DNSKEY records from a specially crafted zone can lead to resource exhaustion, primarily causing excessive CPU utilization. This issue enables a remote, unauthenticated attacker to degrade resolver performance and potentially cause a denial of service (DoS) for legitimate DNS clients.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "bind: Resource exhaustion via malformed DNSKEY handling",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability is considered Important because it allows a remote, unauthenticated attacker to cause significant CPU exhaustion on vulnerable BIND resolvers by serving zones containing malformed DNSKEY records. The flaw triggers excessive computational effort during DNSKEY validation, leading to degraded performance and potential denial of service for legitimate clients. However, the issue affects availability only\u2014it does not enable code execution, data exposure, or privilege escalation\u2014so it is not classified as critical. Furthermore, authoritative servers are not impacted, limiting the scope of exposure to recursive resolvers. While the attack is easy to launch and can disrupt DNS operations, its effect ceases once the malicious traffic stops, making prompt patching and recursive access control effective mitigations.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:bind-main@aarch64",
          "Red Hat Hardened Images:bind-main@noarch",
          "Red Hat Hardened Images:bind-main@src",
          "Red Hat Hardened Images:bind-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-8677"
        },
        {
          "category": "external",
          "summary": "RHBZ#2405830",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2405830"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-8677",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-8677"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-8677",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8677"
        }
      ],
      "release_date": "2025-10-22T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-04-07T23:30:26+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:bind-main@aarch64",
            "Red Hat Hardened Images:bind-main@noarch",
            "Red Hat Hardened Images:bind-main@src",
            "Red Hat Hardened Images:bind-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:6935"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.\n\nTo reduce risk, restrict recursive queries to trusted or internal networks only, and apply rate limiting or firewall rules to prevent excessive or repetitive requests. Enabling DNSSEC validation helps reject forged records, while isolating recursive resolvers from authoritative servers limits the impact of potential cache poisoning. Active monitoring of CPU usage, query volume, and cache anomalies can provide early warning of abuse or attacks.",
          "product_ids": [
            "Red Hat Hardened Images:bind-main@aarch64",
            "Red Hat Hardened Images:bind-main@noarch",
            "Red Hat Hardened Images:bind-main@src",
            "Red Hat Hardened Images:bind-main@x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:bind-main@aarch64",
            "Red Hat Hardened Images:bind-main@noarch",
            "Red Hat Hardened Images:bind-main@src",
            "Red Hat Hardened Images:bind-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "bind: Resource exhaustion via malformed DNSKEY handling"
    },
    {
      "cve": "CVE-2025-13878",
      "cwe": {
        "id": "CWE-1286",
        "name": "Improper Validation of Syntactic Correctness of Input"
      },
      "discovery_date": "2026-01-21T13:45:49.972000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2431600"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in bind. A remote attacker can send a specially crafted request that results in a corrupt or malicious record, causing the \u0027named\u0027 service to crash. This vulnerability leads to a Denial of Service (DoS) for authoritative servers and resolvers.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "bind: bind: Denial of Service via corrupt or malicious record",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability is rated Important for Red Hat products as it affects the BIND DNS server (named). An attacker can cause the named service to crash by sending a specially crafted request, impacting both authoritative and resolver server configurations. This can lead to a denial of service for DNS resolution.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:bind-main@aarch64",
          "Red Hat Hardened Images:bind-main@noarch",
          "Red Hat Hardened Images:bind-main@src",
          "Red Hat Hardened Images:bind-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-13878"
        },
        {
          "category": "external",
          "summary": "RHBZ#2431600",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431600"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-13878",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-13878"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-13878",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13878"
        }
      ],
      "release_date": "2026-01-21T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-04-07T23:30:26+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:bind-main@aarch64",
            "Red Hat Hardened Images:bind-main@noarch",
            "Red Hat Hardened Images:bind-main@src",
            "Red Hat Hardened Images:bind-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:6935"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Hardened Images:bind-main@aarch64",
            "Red Hat Hardened Images:bind-main@noarch",
            "Red Hat Hardened Images:bind-main@src",
            "Red Hat Hardened Images:bind-main@x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:bind-main@aarch64",
            "Red Hat Hardened Images:bind-main@noarch",
            "Red Hat Hardened Images:bind-main@src",
            "Red Hat Hardened Images:bind-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "bind: bind: Denial of Service via corrupt or malicious record"
    },
    {
      "cve": "CVE-2025-40778",
      "cwe": {
        "id": "CWE-347",
        "name": "Improper Verification of Cryptographic Signature"
      },
      "discovery_date": "2025-10-22T15:07:23.729000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2405827"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability exists in BIND\u2019s DNS resolver logic that makes it overly permissive when accepting resource records (RRs) in responses. Under certain conditions, this flaw allows attackers to inject unsolicited or forged DNS records into the cache. This can be exploited to poison the resolver cache, redirecting clients to malicious domains or unauthorized servers.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "bind: Cache poisoning attacks with unsolicited RRs",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "It is classified as Important rather than Critical because its impact is limited to cache poisoning within recursive resolvers and does not allow direct code execution, privilege escalation, or service disruption. The vulnerability affects the accuracy of DNS responses, but not the availability or confidentiality of systems. Additionally, DNSSEC-enabled deployments and restricted recursive access can significantly mitigate exploitation risks. Therefore, while the flaw can misdirect network traffic and compromise trust in name resolution, it does not directly compromise the underlying server or client systems, justifying an Important \u2014 but not Critical \u2014 severity rating.\n\nTechnical Analysis:\nThe issue arises because BIND fails to strictly validate unsolicited resource records accompanying legitimate DNS responses. This gap allows forged recursive resolvers to be cached as valid entries. Since the attack is remote, requires no authentication, and exploits a low-complexity vector, it is highly impactful in recursive resolver environments\u2014especially those exposed to untrusted clients or open resolvers.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:bind-main@aarch64",
          "Red Hat Hardened Images:bind-main@noarch",
          "Red Hat Hardened Images:bind-main@src",
          "Red Hat Hardened Images:bind-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-40778"
        },
        {
          "category": "external",
          "summary": "RHBZ#2405827",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2405827"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-40778",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-40778"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-40778",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40778"
        }
      ],
      "release_date": "2025-10-22T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-04-07T23:30:26+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:bind-main@aarch64",
            "Red Hat Hardened Images:bind-main@noarch",
            "Red Hat Hardened Images:bind-main@src",
            "Red Hat Hardened Images:bind-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:6935"
        },
        {
          "category": "workaround",
          "details": "While it is not possible to eliminate risk from this vulnerability, there are several options for reducing the risk. These include restricting recursive queries to trusted or internal networks only, and apply rate limiting or firewall rules to prevent excessive or repetitive requests. Enabling DNSSEC validation helps reject forged records, while isolating recursive resolvers from authoritative servers limits the impact of potential cache poisoning. Active monitoring of CPU usage, query volume, and cache anomalies can provide early warning of abuse or attacks.",
          "product_ids": [
            "Red Hat Hardened Images:bind-main@aarch64",
            "Red Hat Hardened Images:bind-main@noarch",
            "Red Hat Hardened Images:bind-main@src",
            "Red Hat Hardened Images:bind-main@x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:bind-main@aarch64",
            "Red Hat Hardened Images:bind-main@noarch",
            "Red Hat Hardened Images:bind-main@src",
            "Red Hat Hardened Images:bind-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "bind: Cache poisoning attacks with unsolicited RRs"
    },
    {
      "cve": "CVE-2025-40780",
      "cwe": {
        "id": "CWE-338",
        "name": "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)"
      },
      "discovery_date": "2025-10-22T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2405829"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability was found in BIND resolvers caused by a weakness in the Pseudo Random Number Generator (PRNG). This weakness allows an attacker to potentially predict the source port and query ID used by BIND, enabling cache poisoning attacks. If successful, the attacker can inject malicious DNS responses into the resolver\u2019s cache, causing clients to receive spoofed DNS data. Authoritative servers are generally unaffected, but recursive resolvers are exposed to this risk. Exploitation is remote and does not require user interaction.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "bind: Cache poisoning due to weak PRNG",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability in BIND 9 resolvers caused by a weakness in the Pseudo Random Number Generator (PRNG) used to select the UDP source port and DNS query (transaction) ID. Exploitation requires an attacker to correctly predict both values and race the legitimate authoritative response with a spoofed packet to perform cache poisoning. While the PRNG weakness reduces entropy and makes prediction feasible under certain conditions, this still requires precise timing, on-path or spoofing capabilities, and targeting of recursive resolvers.\n\nThe impact is limited to resolver cache integrity; it does not allow remote code execution, privilege escalation, or direct compromise of the BIND server itself. Authoritative servers are not affected. Additionally, operational mitigations such as DNSSEC validation, access control restricting recursion, and network-level packet filtering reduce real-world exploitability. No active exploits have been observed in the wild.\n\nBecause exploitation is non-trivial, requires network-level spoofing and precise timing, and only affects cache integrity without server compromise, the vulnerability is considered Important rather than Critical.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:bind-main@aarch64",
          "Red Hat Hardened Images:bind-main@noarch",
          "Red Hat Hardened Images:bind-main@src",
          "Red Hat Hardened Images:bind-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-40780"
        },
        {
          "category": "external",
          "summary": "RHBZ#2405829",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2405829"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-40780",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-40780"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-40780",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40780"
        }
      ],
      "release_date": "2025-10-22T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-04-07T23:30:26+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:bind-main@aarch64",
            "Red Hat Hardened Images:bind-main@noarch",
            "Red Hat Hardened Images:bind-main@src",
            "Red Hat Hardened Images:bind-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:6935"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.\n\nTo reduce risk, restrict recursive queries to trusted or internal networks only, and apply rate limiting or firewall rules to prevent excessive or repetitive requests. Enabling DNSSEC validation helps reject forged records, while isolating recursive resolvers from authoritative servers limits the impact of potential cache poisoning. Active monitoring of CPU usage, query volume, and cache anomalies can provide early warning of abuse or attacks.",
          "product_ids": [
            "Red Hat Hardened Images:bind-main@aarch64",
            "Red Hat Hardened Images:bind-main@noarch",
            "Red Hat Hardened Images:bind-main@src",
            "Red Hat Hardened Images:bind-main@x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:bind-main@aarch64",
            "Red Hat Hardened Images:bind-main@noarch",
            "Red Hat Hardened Images:bind-main@src",
            "Red Hat Hardened Images:bind-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "bind: Cache poisoning due to weak PRNG"
    },
    {
      "cve": "CVE-2026-1519",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2026-03-25T14:01:56.586125+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2451305"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in BIND. A remote attacker could exploit this vulnerability by sending a maliciously crafted DNSSEC-validated zone to a BIND resolver. This could cause the resolver to consume excessive CPU resources, leading to a denial of service (DoS) for legitimate users.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "bind: BIND: Denial of Service via maliciously crafted DNSSEC-validated zone",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability is rated as Important. A flaw in BIND allows a remote attacker to cause a Denial of Service by sending a maliciously crafted DNSSEC-validated zone to a BIND resolver. Red Hat systems running BIND configured for DNSSEC validation are affected. Authoritative-only BIND servers are generally not impacted unless configured to perform recursive queries.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:bind-main@aarch64",
          "Red Hat Hardened Images:bind-main@noarch",
          "Red Hat Hardened Images:bind-main@src",
          "Red Hat Hardened Images:bind-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-1519"
        },
        {
          "category": "external",
          "summary": "RHBZ#2451305",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451305"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-1519",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-1519"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-1519",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1519"
        },
        {
          "category": "external",
          "summary": "https://downloads.isc.org/isc/bind9/9.18.47",
          "url": "https://downloads.isc.org/isc/bind9/9.18.47"
        },
        {
          "category": "external",
          "summary": "https://downloads.isc.org/isc/bind9/9.20.21",
          "url": "https://downloads.isc.org/isc/bind9/9.20.21"
        },
        {
          "category": "external",
          "summary": "https://downloads.isc.org/isc/bind9/9.21.20",
          "url": "https://downloads.isc.org/isc/bind9/9.21.20"
        },
        {
          "category": "external",
          "summary": "https://kb.isc.org/docs/cve-2026-1519",
          "url": "https://kb.isc.org/docs/cve-2026-1519"
        }
      ],
      "release_date": "2026-03-25T13:25:19.802000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-04-07T23:30:26+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:bind-main@aarch64",
            "Red Hat Hardened Images:bind-main@noarch",
            "Red Hat Hardened Images:bind-main@src",
            "Red Hat Hardened Images:bind-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:6935"
        },
        {
          "category": "workaround",
          "details": "To mitigate this issue, disable DNSSEC validation on affected BIND resolvers. Alternatively, configure the BIND server as authoritative-only if recursive queries are not required. Disabling DNSSEC validation may reduce the security posture of the DNS resolver. A restart of the BIND service (`named`) is required for these changes to take effect and may temporarily interrupt DNS resolution.",
          "product_ids": [
            "Red Hat Hardened Images:bind-main@aarch64",
            "Red Hat Hardened Images:bind-main@noarch",
            "Red Hat Hardened Images:bind-main@src",
            "Red Hat Hardened Images:bind-main@x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:bind-main@aarch64",
            "Red Hat Hardened Images:bind-main@noarch",
            "Red Hat Hardened Images:bind-main@src",
            "Red Hat Hardened Images:bind-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "bind: BIND: Denial of Service via maliciously crafted DNSSEC-validated zone"
    },
    {
      "cve": "CVE-2026-3104",
      "cwe": {
        "id": "CWE-772",
        "name": "Missing Release of Resource after Effective Lifetime"
      },
      "discovery_date": "2026-03-25T14:02:15.067111+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2451310"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the BIND resolver. A remote attacker can exploit this vulnerability by querying a specially crafted domain, which causes a memory leak. This memory leak can lead to a Denial of Service (DoS) condition, making the BIND resolver unavailable to legitimate users.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "bind: BIND: Denial of Service via specially crafted domain query causing a memory leak",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This is an Important denial of service flaw in BIND 9. A remote attacker can trigger a memory leak in the BIND resolver by sending a specially crafted domain query, potentially exhausting system resources. Red Hat Enterprise Linux versions shipping BIND 9.18 are not affected by this vulnerability.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:bind-main@aarch64",
          "Red Hat Hardened Images:bind-main@noarch",
          "Red Hat Hardened Images:bind-main@src",
          "Red Hat Hardened Images:bind-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-3104"
        },
        {
          "category": "external",
          "summary": "RHBZ#2451310",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451310"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-3104",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-3104"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-3104",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3104"
        },
        {
          "category": "external",
          "summary": "https://downloads.isc.org/isc/bind9/9.20.21",
          "url": "https://downloads.isc.org/isc/bind9/9.20.21"
        },
        {
          "category": "external",
          "summary": "https://downloads.isc.org/isc/bind9/9.21.20",
          "url": "https://downloads.isc.org/isc/bind9/9.21.20"
        },
        {
          "category": "external",
          "summary": "https://kb.isc.org/docs/cve-2026-3104",
          "url": "https://kb.isc.org/docs/cve-2026-3104"
        }
      ],
      "release_date": "2026-03-25T13:29:19.494000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-04-07T23:30:26+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:bind-main@aarch64",
            "Red Hat Hardened Images:bind-main@noarch",
            "Red Hat Hardened Images:bind-main@src",
            "Red Hat Hardened Images:bind-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:6935"
        },
        {
          "category": "workaround",
          "details": "To mitigate this issue, restrict access to the BIND resolver to trusted clients only. This can be achieved by configuring firewall rules to limit inbound connections to port 53 (UDP/TCP) from known, authorized IP addresses or networks. Alternatively, configure BIND to listen only on specific trusted interfaces or localhost.\n\nExample using firewalld:\n`firewall-cmd --permanent --add-rich-rule=\u0027rule family=\"ipv4\" source address=\"\u003cTRUSTED_IP_OR_NETWORK\u003e\" port port=53 protocol=\"udp\" accept\u0027`\n`firewall-cmd --permanent --add-rich-rule=\u0027rule family=\"ipv4\" source address=\"\u003cTRUSTED_IP_OR_NETWORK\u003e\" port port=53 protocol=\"tcp\" accept\u0027`\n`firewall-cmd --reload`\n\nAfter applying changes, a restart of the BIND service may be required for the new configuration to take full effect. This may temporarily interrupt DNS resolution services.",
          "product_ids": [
            "Red Hat Hardened Images:bind-main@aarch64",
            "Red Hat Hardened Images:bind-main@noarch",
            "Red Hat Hardened Images:bind-main@src",
            "Red Hat Hardened Images:bind-main@x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:bind-main@aarch64",
            "Red Hat Hardened Images:bind-main@noarch",
            "Red Hat Hardened Images:bind-main@src",
            "Red Hat Hardened Images:bind-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "bind: BIND: Denial of Service via specially crafted domain query causing a memory leak"
    },
    {
      "cve": "CVE-2026-3119",
      "cwe": {
        "id": "CWE-237",
        "name": "Improper Handling of Structural Elements"
      },
      "discovery_date": "2026-03-25T14:02:07.297575+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2451308"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in BIND, specifically within the `named` daemon. An authenticated remote attacker, possessing a valid Transaction Signature (TSIG) key configured on the server, could send a specially crafted query containing a TKEY record. This action may cause the `named` daemon to crash, leading to a Denial of Service (DoS) for the affected DNS service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "bind: BIND: Denial of Service via authenticated TKEY queries",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Moderate impact. A flaw in BIND 9\u0027s `named` component can lead to a Denial of Service if an attacker with a valid Transaction Signature (TSIG) key sends a specially crafted query. Red Hat Enterprise Linux 8 and 9 are affected by this vulnerability.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:bind-main@aarch64",
          "Red Hat Hardened Images:bind-main@noarch",
          "Red Hat Hardened Images:bind-main@src",
          "Red Hat Hardened Images:bind-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-3119"
        },
        {
          "category": "external",
          "summary": "RHBZ#2451308",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451308"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-3119",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-3119"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-3119",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3119"
        },
        {
          "category": "external",
          "summary": "https://downloads.isc.org/isc/bind9/9.20.21",
          "url": "https://downloads.isc.org/isc/bind9/9.20.21"
        },
        {
          "category": "external",
          "summary": "https://downloads.isc.org/isc/bind9/9.21.20",
          "url": "https://downloads.isc.org/isc/bind9/9.21.20"
        },
        {
          "category": "external",
          "summary": "https://kb.isc.org/docs/cve-2026-3119",
          "url": "https://kb.isc.org/docs/cve-2026-3119"
        }
      ],
      "release_date": "2026-03-25T13:31:54.806000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-04-07T23:30:26+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:bind-main@aarch64",
            "Red Hat Hardened Images:bind-main@noarch",
            "Red Hat Hardened Images:bind-main@src",
            "Red Hat Hardened Images:bind-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:6935"
        },
        {
          "category": "workaround",
          "details": "To mitigate this issue, restrict access to the `named` service to only trusted networks and clients. If Transaction Signature (TSIG) keys are not actively used or required, consider disabling them in the BIND configuration. If TSIG keys are necessary, ensure they are securely managed and only distributed to authorized clients. After making configuration changes, a restart of the `named` service may be required to apply the changes, which could temporarily impact DNS resolution.",
          "product_ids": [
            "Red Hat Hardened Images:bind-main@aarch64",
            "Red Hat Hardened Images:bind-main@noarch",
            "Red Hat Hardened Images:bind-main@src",
            "Red Hat Hardened Images:bind-main@x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:bind-main@aarch64",
            "Red Hat Hardened Images:bind-main@noarch",
            "Red Hat Hardened Images:bind-main@src",
            "Red Hat Hardened Images:bind-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "bind: BIND: Denial of Service via authenticated TKEY queries"
    },
    {
      "cve": "CVE-2026-3591",
      "cwe": {
        "id": "CWE-825",
        "name": "Expired Pointer Dereference"
      },
      "discovery_date": "2026-03-25T14:01:21.633259+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2451298"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in BIND, specifically in the named server\u0027s handling of DNS queries signed with SIG(0). A remote attacker could exploit this use-after-return vulnerability by sending a specially-crafted DNS request. This could cause an Access Control List (ACL) to improperly match an IP address, potentially leading to unauthorized access to resources.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "bind: BIND: Unauthorized access due to use-after-return vulnerability in DNS query handling",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability has a Moderate impact. A use-after-return flaw in the `named` server of `bind9` allows a remote attacker to send a specially-crafted DNS request signed with SIG(0). This can lead to improper Access Control List (ACL) matching, potentially granting unauthorized access to resources. Red Hat Enterprise Linux 8 and 9 ship with BIND versions 9.16 and 9.18 respectively, which are not affected by this flaw. Red Hat Enterprise Linux 10 is affected.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:bind-main@aarch64",
          "Red Hat Hardened Images:bind-main@noarch",
          "Red Hat Hardened Images:bind-main@src",
          "Red Hat Hardened Images:bind-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-3591"
        },
        {
          "category": "external",
          "summary": "RHBZ#2451298",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451298"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-3591",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-3591"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-3591",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3591"
        },
        {
          "category": "external",
          "summary": "https://downloads.isc.org/isc/bind9/9.20.21",
          "url": "https://downloads.isc.org/isc/bind9/9.20.21"
        },
        {
          "category": "external",
          "summary": "https://downloads.isc.org/isc/bind9/9.21.20",
          "url": "https://downloads.isc.org/isc/bind9/9.21.20"
        },
        {
          "category": "external",
          "summary": "https://kb.isc.org/docs/cve-2026-3591",
          "url": "https://kb.isc.org/docs/cve-2026-3591"
        }
      ],
      "release_date": "2026-03-25T13:34:14.202000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-04-07T23:30:26+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:bind-main@aarch64",
            "Red Hat Hardened Images:bind-main@noarch",
            "Red Hat Hardened Images:bind-main@src",
            "Red Hat Hardened Images:bind-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:6935"
        },
        {
          "category": "workaround",
          "details": "Restrict network access to the `named` service to trusted clients and networks. Configure firewall rules to limit inbound connections to the DNS service port (UDP/TCP 53). For example, using `firewall-cmd --permanent --add-rich-rule=\u0027rule family=\"ipv4\" source address=\"\u003cTRUSTED_IP_RANGE\u003e\" port port=\"53\" protocol=\"udp\" accept\u0027` and `firewall-cmd --reload`. This action may impact DNS resolution for clients outside the specified trusted networks. A service reload or restart may be required for changes to take effect.",
          "product_ids": [
            "Red Hat Hardened Images:bind-main@aarch64",
            "Red Hat Hardened Images:bind-main@noarch",
            "Red Hat Hardened Images:bind-main@src",
            "Red Hat Hardened Images:bind-main@x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:bind-main@aarch64",
            "Red Hat Hardened Images:bind-main@noarch",
            "Red Hat Hardened Images:bind-main@src",
            "Red Hat Hardened Images:bind-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "bind: BIND: Unauthorized access due to use-after-return vulnerability in DNS query handling"
    }
  ]
}

CVE-2026-3119 (GCVE-0-2026-3119)

Vulnerability from cvelistv5 – Published: 2026-03-25 13:31 – Updated: 2026-03-25 14:13

Title

Authenticated query containing a TKEY record may cause named to terminate unexpectedly

Summary

Under certain conditions, `named` may crash when processing a correctly signed query containing a TKEY record. The affected code can only be reached if an incoming request has a valid transaction signature (TSIG) from a key declared in the `named` configuration. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-617 - Reachable Assertion

Assigner

isc

References

URL

Tags

	https://kb.isc.org/docs/cve-2026-3119	vendor-advisory
	https://downloads.isc.org/isc/bind9/9.20.21	patch
	https://downloads.isc.org/isc/bind9/9.21.20	patch

Impacted products

	Vendor	Product	Version
	ISC	BIND 9	Affected: 9.20.0 , ≤ 9.20.20 (custom) Affected: 9.21.0 , ≤ 9.21.19 (custom) Affected: 9.20.9-S1 , ≤ 9.20.20-S1 (custom) Unaffected: 9.18.0 , ≤ 9.18.46 (custom) Unaffected: 9.18.11-S1 , ≤ 9.18.46-S1 (custom)

Date Public ?

2026-03-25 00:00

Credits

ISC would like to thank Vitaly Simonovich for bringing this vulnerability to our attention.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-3119",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-25T14:13:41.579382Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-25T14:13:54.588Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "BIND 9",
          "vendor": "ISC",
          "versions": [
            {
              "lessThanOrEqual": "9.20.20",
              "status": "affected",
              "version": "9.20.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.21.19",
              "status": "affected",
              "version": "9.21.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.20.20-S1",
              "status": "affected",
              "version": "9.20.9-S1",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.18.46",
              "status": "unaffected",
              "version": "9.18.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.18.46-S1",
              "status": "unaffected",
              "version": "9.18.11-S1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.20.20",
                  "versionStartIncluding": "9.20.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.21.19",
                  "versionStartIncluding": "9.21.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.20.20-S1",
                  "versionStartIncluding": "9.20.9-S1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.18.46",
                  "versionStartIncluding": "9.18.0",
                  "vulnerable": false
                },
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.18.46-S1",
                  "versionStartIncluding": "9.18.11-S1",
                  "vulnerable": false
                }
              ],
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "ISC would like to thank Vitaly Simonovich for bringing this vulnerability to our attention."
        }
      ],
      "datePublic": "2026-03-25T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Under certain conditions, `named` may crash when processing a correctly signed query containing a TKEY record. The affected code can only be reached if an incoming request has a valid transaction signature (TSIG) from a key declared in the `named` configuration.\nThis issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1.\nBIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "We are not aware of any active exploits."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "If this situation is encountered, `named` will terminate unexpectedly."
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-617",
              "description": "CWE-617 Reachable Assertion",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-25T13:31:54.806Z",
        "orgId": "404fd4d2-a609-4245-b543-2c944a302a22",
        "shortName": "isc"
      },
      "references": [
        {
          "name": "CVE-2026-3119",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://kb.isc.org/docs/cve-2026-3119"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://downloads.isc.org/isc/bind9/9.20.21"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://downloads.isc.org/isc/bind9/9.21.20"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to the patched release most closely related to your current version of BIND 9: 9.20.21, 9.21.20, or 9.20.21-S1."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Authenticated query containing a TKEY record may cause named to terminate unexpectedly",
      "workarounds": [
        {
          "lang": "en",
          "value": "Remove any TSIG keys that might be used by an attacker."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22",
    "assignerShortName": "isc",
    "cveId": "CVE-2026-3119",
    "datePublished": "2026-03-25T13:31:54.806Z",
    "dateReserved": "2026-02-24T12:29:14.561Z",
    "dateUpdated": "2026-03-25T14:13:54.588Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-3104 (GCVE-0-2026-3104)

Vulnerability from cvelistv5 – Published: 2026-03-25 13:29 – Updated: 2026-03-25 14:56

Title

Memory leak in code preparing DNSSEC proofs of non-existence

Summary

A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-772 - Missing Release of Resource after Effective Lifetime

Assigner

isc

References

URL

Tags

	https://kb.isc.org/docs/cve-2026-3104	vendor-advisory
	https://downloads.isc.org/isc/bind9/9.20.21	patch
	https://downloads.isc.org/isc/bind9/9.21.20	patch

Impacted products

	Vendor	Product	Version
	ISC	BIND 9	Affected: 9.20.0 , ≤ 9.20.20 (custom) Affected: 9.21.0 , ≤ 9.21.19 (custom) Affected: 9.20.9-S1 , ≤ 9.20.20-S1 (custom) Unaffected: 9.18.0 , ≤ 9.18.46 (custom) Unaffected: 9.18.11-S1 , ≤ 9.18.46-S1 (custom)

Date Public ?

2026-03-25 00:00

Credits

ISC would like to thank Vitaly Simonovich for bringing this vulnerability to our attention.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-3104",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-25T14:56:20.362810Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-25T14:56:26.373Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "BIND 9",
          "vendor": "ISC",
          "versions": [
            {
              "lessThanOrEqual": "9.20.20",
              "status": "affected",
              "version": "9.20.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.21.19",
              "status": "affected",
              "version": "9.21.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.20.20-S1",
              "status": "affected",
              "version": "9.20.9-S1",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.18.46",
              "status": "unaffected",
              "version": "9.18.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.18.46-S1",
              "status": "unaffected",
              "version": "9.18.11-S1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.20.20",
                  "versionStartIncluding": "9.20.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.21.19",
                  "versionStartIncluding": "9.21.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.20.20-S1",
                  "versionStartIncluding": "9.20.9-S1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.18.46",
                  "versionStartIncluding": "9.18.0",
                  "vulnerable": false
                },
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.18.46-S1",
                  "versionStartIncluding": "9.18.11-S1",
                  "vulnerable": false
                }
              ],
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "ISC would like to thank Vitaly Simonovich for bringing this vulnerability to our attention."
        }
      ],
      "datePublic": "2026-03-25T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain.\nThis issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1.\nBIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "We are not aware of any active exploits."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "If a BIND resolver is asked to query a specially crafted domain, memory will not be recovered by `named`. This can cause unbounded growth of Resident Set Size (RSS) memory, which may lead to an out-of-memory condition. Additionally, `named` will exit with an assertion failure if a shutdown or reload is attempted."
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-772",
              "description": "CWE-772 Missing Release of Resource after Effective Lifetime",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-25T13:29:19.494Z",
        "orgId": "404fd4d2-a609-4245-b543-2c944a302a22",
        "shortName": "isc"
      },
      "references": [
        {
          "name": "CVE-2026-3104",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://kb.isc.org/docs/cve-2026-3104"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://downloads.isc.org/isc/bind9/9.20.21"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://downloads.isc.org/isc/bind9/9.21.20"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to the patched release most closely related to your current version of BIND 9: 9.20.21, 9.21.20, or 9.20.21-S1."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Memory leak in code preparing DNSSEC proofs of non-existence",
      "workarounds": [
        {
          "lang": "en",
          "value": "No workarounds known."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22",
    "assignerShortName": "isc",
    "cveId": "CVE-2026-3104",
    "datePublished": "2026-03-25T13:29:19.494Z",
    "dateReserved": "2026-02-24T10:04:57.917Z",
    "dateUpdated": "2026-03-25T14:56:26.373Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-13878 (GCVE-0-2025-13878)

Vulnerability from cvelistv5 – Published: 2026-01-21 14:43 – Updated: 2026-01-21 18:13

Title

Malformed BRID/HHIT records can cause named to terminate unexpectedly

Summary

Malformed BRID/HHIT records can cause `named` to terminate unexpectedly. This issue affects BIND 9 versions 9.18.40 through 9.18.43, 9.20.13 through 9.20.17, 9.21.12 through 9.21.16, 9.18.40-S1 through 9.18.43-S1, and 9.20.13-S1 through 9.20.17-S1.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-617 - Reachable Assertion

Assigner

isc

References

URL

Tags

	https://kb.isc.org/docs/cve-2025-13878	vendor-advisory
	https://downloads.isc.org/isc/bind9/9.18.44	patch
	https://downloads.isc.org/isc/bind9/9.20.18	patch
	https://downloads.isc.org/isc/bind9/9.21.17	patch

Impacted products

	Vendor	Product	Version
	ISC	BIND 9	Affected: 9.18.40 , ≤ 9.18.43 (custom) Affected: 9.20.13 , ≤ 9.20.17 (custom) Affected: 9.21.12 , ≤ 9.21.16 (custom) Affected: 9.18.40-S1 , ≤ 9.18.43-S1 (custom) Affected: 9.20.13-S1 , ≤ 9.20.17-S1 (custom)

Date Public ?

2026-01-21 00:00

Credits

ISC would like to thank Vlatko Kosturjak from Marlink Cyber for bringing this vulnerability to our attention.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-13878",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-21T14:57:50.807267Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-21T14:58:14.618Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2026-01-21T18:13:38.157Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/01/21/3"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "BIND 9",
          "vendor": "ISC",
          "versions": [
            {
              "lessThanOrEqual": "9.18.43",
              "status": "affected",
              "version": "9.18.40",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.20.17",
              "status": "affected",
              "version": "9.20.13",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.21.16",
              "status": "affected",
              "version": "9.21.12",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.18.43-S1",
              "status": "affected",
              "version": "9.18.40-S1",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.20.17-S1",
              "status": "affected",
              "version": "9.20.13-S1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.18.43",
                  "versionStartIncluding": "9.18.40",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.20.17",
                  "versionStartIncluding": "9.20.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.21.16",
                  "versionStartIncluding": "9.21.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.18.43-S1",
                  "versionStartIncluding": "9.18.40-S1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.20.17-S1",
                  "versionStartIncluding": "9.20.13-S1",
                  "vulnerable": true
                }
              ],
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "ISC would like to thank Vlatko Kosturjak from Marlink Cyber for bringing this vulnerability to our attention."
        }
      ],
      "datePublic": "2026-01-21T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Malformed BRID/HHIT records can cause `named` to terminate unexpectedly.\nThis issue affects BIND 9 versions 9.18.40 through 9.18.43, 9.20.13 through 9.20.17, 9.21.12 through 9.21.16, 9.18.40-S1 through 9.18.43-S1, and 9.20.13-S1 through 9.20.17-S1."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "We are not aware of any active exploits."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "An attacker can cause `named` to crash by sending a request that results in a corrupt or malicious record."
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-617",
              "description": "CWE-617 Reachable Assertion",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-21T14:43:27.260Z",
        "orgId": "404fd4d2-a609-4245-b543-2c944a302a22",
        "shortName": "isc"
      },
      "references": [
        {
          "name": "CVE-2025-13878",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://kb.isc.org/docs/cve-2025-13878"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://downloads.isc.org/isc/bind9/9.18.44"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://downloads.isc.org/isc/bind9/9.20.18"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://downloads.isc.org/isc/bind9/9.21.17"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to the patched release most closely related to your current version of BIND 9: 9.18.44, 9.20.18, 9.21.17, 9.18.44-S1, or 9.20.18-S1."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Malformed BRID/HHIT records can cause named to terminate unexpectedly",
      "workarounds": [
        {
          "lang": "en",
          "value": "No workarounds known."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22",
    "assignerShortName": "isc",
    "cveId": "CVE-2025-13878",
    "datePublished": "2026-01-21T14:43:27.260Z",
    "dateReserved": "2025-12-02T11:08:04.266Z",
    "dateUpdated": "2026-01-21T18:13:38.157Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40780 (GCVE-0-2025-40780)

Vulnerability from cvelistv5 – Published: 2025-10-22 15:48 – Updated: 2025-11-04 21:10

Title

Cache poisoning due to weak PRNG

Summary

In specific circumstances, due to a weakness in the Pseudo Random Number Generator (PRNG) that is used, it is possible for an attacker to predict the source port and query ID that BIND will use. This issue affects BIND 9 versions 9.16.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.16.8-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.

Severity ?

8.6 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

CWE

CWE-341 - Predictable from Observable State

Assigner

isc

References

URL

Tags

https://kb.isc.org/docs/cve-2025-40780

vendor-advisory

Impacted products

	Vendor	Product	Version
	ISC	BIND 9	Affected: 9.16.0 , ≤ 9.16.50 (custom) Affected: 9.18.0 , ≤ 9.18.39 (custom) Affected: 9.20.0 , ≤ 9.20.13 (custom) Affected: 9.21.0 , ≤ 9.21.12 (custom) Affected: 9.16.8-S1 , ≤ 9.16.50-S1 (custom) Affected: 9.18.11-S1 , ≤ 9.18.39-S1 (custom) Affected: 9.20.9-S1 , ≤ 9.20.13-S1 (custom)

Date Public ?

2025-10-22 00:00

Credits

ISC would like to thank Prof. Amit Klein and Omer Ben Simhon from Hebrew University of Jerusalem for bringing this vulnerability to our attention.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-40780",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-22T17:27:36.366032Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-22T17:27:49.476Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T21:10:16.728Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/10/22/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "BIND 9",
          "vendor": "ISC",
          "versions": [
            {
              "lessThanOrEqual": "9.16.50",
              "status": "affected",
              "version": "9.16.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.18.39",
              "status": "affected",
              "version": "9.18.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.20.13",
              "status": "affected",
              "version": "9.20.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.21.12",
              "status": "affected",
              "version": "9.21.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.16.50-S1",
              "status": "affected",
              "version": "9.16.8-S1",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.18.39-S1",
              "status": "affected",
              "version": "9.18.11-S1",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.20.13-S1",
              "status": "affected",
              "version": "9.20.9-S1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "ISC would like to thank Prof. Amit Klein and Omer Ben Simhon from Hebrew University of Jerusalem for bringing this vulnerability to our attention."
        }
      ],
      "datePublic": "2025-10-22T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "In specific circumstances, due to a weakness in the Pseudo Random Number Generator (PRNG) that is used, it is possible for an attacker to predict the source port and query ID that BIND will use.\nThis issue affects BIND 9 versions 9.16.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.16.8-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "We are not aware of any active exploits."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "BIND can be tricked into caching attacker responses, if the spoofing is successful."
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-341",
              "description": "CWE-341 Predictable from Observable State",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-22T15:48:27.146Z",
        "orgId": "404fd4d2-a609-4245-b543-2c944a302a22",
        "shortName": "isc"
      },
      "references": [
        {
          "name": "CVE-2025-40780",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://kb.isc.org/docs/cve-2025-40780"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to the patched release most closely related to your current version of BIND 9: 9.18.41, 9.20.15, 9.21.14, 9.18.41-S1, or 9.20.15-S1."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Cache poisoning due to weak PRNG",
      "workarounds": [
        {
          "lang": "en",
          "value": "No workarounds known."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22",
    "assignerShortName": "isc",
    "cveId": "CVE-2025-40780",
    "datePublished": "2025-10-22T15:48:27.146Z",
    "dateReserved": "2025-04-16T08:44:49.857Z",
    "dateUpdated": "2025-11-04T21:10:16.728Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-3591 (GCVE-0-2026-3591)

Vulnerability from cvelistv5 – Published: 2026-03-25 13:34 – Updated: 2026-03-25 14:13

Title

A stack use-after-return flaw in SIG(0) handling code may enable ACL bypass

Summary

A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly (mis)match an IP address. In a default-allow ACL (denying only specific IP addresses), this may lead to unauthorized access. Default-deny ACLs should fail-secure. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.

Severity ?

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE

CWE-562 - Return of Stack Variable Address
CWE-305 - Authentication Bypass by Primary Weakness

Assigner

isc

References

URL

Tags

	https://kb.isc.org/docs/cve-2026-3591	vendor-advisory
	https://downloads.isc.org/isc/bind9/9.20.21	patch
	https://downloads.isc.org/isc/bind9/9.21.20	patch

Impacted products

	Vendor	Product	Version
	ISC	BIND 9	Affected: 9.20.0 , ≤ 9.20.20 (custom) Affected: 9.21.0 , ≤ 9.21.19 (custom) Affected: 9.20.9-S1 , ≤ 9.20.20-S1 (custom) Unaffected: 9.18.0 , ≤ 9.18.46 (custom) Unaffected: 9.18.11-S1 , ≤ 9.18.46-S1 (custom)

Date Public ?

2026-03-25 00:00

Credits

ISC would like to thank Mcsky23 for bringing this vulnerability to our attention.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-3591",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-25T14:12:43.295485Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-25T14:13:01.659Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "BIND 9",
          "vendor": "ISC",
          "versions": [
            {
              "lessThanOrEqual": "9.20.20",
              "status": "affected",
              "version": "9.20.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.21.19",
              "status": "affected",
              "version": "9.21.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.20.20-S1",
              "status": "affected",
              "version": "9.20.9-S1",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.18.46",
              "status": "unaffected",
              "version": "9.18.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.18.46-S1",
              "status": "unaffected",
              "version": "9.18.11-S1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.20.20",
                  "versionStartIncluding": "9.20.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.21.19",
                  "versionStartIncluding": "9.21.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.20.20-S1",
                  "versionStartIncluding": "9.20.9-S1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.18.46",
                  "versionStartIncluding": "9.18.0",
                  "vulnerable": false
                },
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.18.46-S1",
                  "versionStartIncluding": "9.18.11-S1",
                  "vulnerable": false
                }
              ],
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "ISC would like to thank Mcsky23 for bringing this vulnerability to our attention."
        }
      ],
      "datePublic": "2026-03-25T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly (mis)match an IP address. In a default-allow ACL (denying only specific IP addresses), this may lead to unauthorized access. Default-deny ACLs should fail-secure.\nThis issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1.\nBIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "We are not aware of any active exploits."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "An attacker may be able to cause an ACL to improperly (mis)match an IP address.  In a default-allow ACL (denying only specific IP addresses), this may lead to unauthorized access."
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-562",
              "description": "CWE-562 Return of Stack Variable Address",
              "lang": "en",
              "type": "CWE"
            },
            {
              "cweId": "CWE-305",
              "description": "CWE-305 Authentication Bypass by Primary Weakness",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-25T13:34:14.202Z",
        "orgId": "404fd4d2-a609-4245-b543-2c944a302a22",
        "shortName": "isc"
      },
      "references": [
        {
          "name": "CVE-2026-3591",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://kb.isc.org/docs/cve-2026-3591"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://downloads.isc.org/isc/bind9/9.20.21"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://downloads.isc.org/isc/bind9/9.21.20"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to the patched release most closely related to your current version of BIND 9: 9.20.21, 9.21.20, or 9.20.21-S1."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "A stack use-after-return flaw in SIG(0) handling code may enable ACL bypass",
      "workarounds": [
        {
          "lang": "en",
          "value": "No workarounds known."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22",
    "assignerShortName": "isc",
    "cveId": "CVE-2026-3591",
    "datePublished": "2026-03-25T13:34:14.202Z",
    "dateReserved": "2026-03-05T12:50:58.915Z",
    "dateUpdated": "2026-03-25T14:13:01.659Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40778 (GCVE-0-2025-40778)

Vulnerability from cvelistv5 – Published: 2025-10-22 15:47 – Updated: 2026-02-26 16:57

Title

Cache poisoning attacks with unsolicited RRs

Summary

Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forged data into the cache. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.

Severity ?

8.6 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

CWE

CWE-349 - Acceptance of Extraneous Untrusted Data With Trusted Data

Assigner

isc

References

URL

Tags

https://kb.isc.org/docs/cve-2025-40778

vendor-advisory

Impacted products

	Vendor	Product	Version
	ISC	BIND 9	Affected: 9.11.0 , ≤ 9.16.50 (custom) Affected: 9.18.0 , ≤ 9.18.39 (custom) Affected: 9.20.0 , ≤ 9.20.13 (custom) Affected: 9.21.0 , ≤ 9.21.12 (custom) Affected: 9.11.3-S1 , ≤ 9.16.50-S1 (custom) Affected: 9.18.11-S1 , ≤ 9.18.39-S1 (custom) Affected: 9.20.9-S1 , ≤ 9.20.13-S1 (custom)

Date Public ?

2025-10-22 00:00

Credits

ISC would like to thank Yuxiao Wu, Yunyi Zhang, Baojun Liu, and Haixin Duan from Tsinghua University for bringing this vulnerability to our attention.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-40778",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-07T04:56:12.747619Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T16:57:13.134Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://gist.github.com/N3mes1s/f76b4a606308937b0806a5256bc1f918"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T21:10:14.114Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/10/22/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "BIND 9",
          "vendor": "ISC",
          "versions": [
            {
              "lessThanOrEqual": "9.16.50",
              "status": "affected",
              "version": "9.11.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.18.39",
              "status": "affected",
              "version": "9.18.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.20.13",
              "status": "affected",
              "version": "9.20.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.21.12",
              "status": "affected",
              "version": "9.21.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.16.50-S1",
              "status": "affected",
              "version": "9.11.3-S1",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.18.39-S1",
              "status": "affected",
              "version": "9.18.11-S1",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.20.13-S1",
              "status": "affected",
              "version": "9.20.9-S1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "ISC would like to thank Yuxiao Wu, Yunyi Zhang, Baojun Liu, and Haixin Duan from Tsinghua University for bringing this vulnerability to our attention."
        }
      ],
      "datePublic": "2025-10-22T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forged data into the cache.\nThis issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "We are not aware of any active exploits."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "Forged records can be injected into cache during a query, which can potentially affect resolution of future queries."
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-349",
              "description": "CWE-349 Acceptance of Extraneous Untrusted Data With Trusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-22T15:47:13.243Z",
        "orgId": "404fd4d2-a609-4245-b543-2c944a302a22",
        "shortName": "isc"
      },
      "references": [
        {
          "name": "CVE-2025-40778",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://kb.isc.org/docs/cve-2025-40778"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to the patched release most closely related to your current version of BIND 9: 9.18.41, 9.20.15, 9.21.14, 9.18.41-S1, or 9.20.15-S1."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Cache poisoning attacks with unsolicited RRs",
      "workarounds": [
        {
          "lang": "en",
          "value": "No workarounds known."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22",
    "assignerShortName": "isc",
    "cveId": "CVE-2025-40778",
    "datePublished": "2025-10-22T15:47:13.243Z",
    "dateReserved": "2025-04-16T08:44:49.857Z",
    "dateUpdated": "2026-02-26T16:57:13.134Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-1519 (GCVE-0-2026-1519)

Vulnerability from cvelistv5 – Published: 2026-03-25 13:25 – Updated: 2026-04-13 09:35

Title

Excessive NSEC3 iterations cause high CPU load during insecure delegation validation

Summary

If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries). This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-606 - Unchecked Input for Loop Condition

Assigner

isc

References

URL

Tags

	https://kb.isc.org/docs/cve-2026-1519	vendor-advisory
	https://downloads.isc.org/isc/bind9/9.18.47	patch
	https://downloads.isc.org/isc/bind9/9.20.21	patch
	https://downloads.isc.org/isc/bind9/9.21.20	patch

Impacted products

	Vendor	Product	Version
	ISC	BIND 9	Affected: 9.11.0 , ≤ 9.16.50 (custom) Affected: 9.18.0 , ≤ 9.18.46 (custom) Affected: 9.20.0 , ≤ 9.20.20 (custom) Affected: 9.21.0 , ≤ 9.21.19 (custom) Affected: 9.11.3-S1 , ≤ 9.16.50-S1 (custom) Affected: 9.18.11-S1 , ≤ 9.18.46-S1 (custom) Affected: 9.20.9-S1 , ≤ 9.20.20-S1 (custom)

Date Public ?

2026-03-25 00:00

Credits

ISC would like to thank Samy Medjahed/Ap4sh for bringing this vulnerability to our attention.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-1519",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-25T14:55:33.427270Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-25T14:55:40.032Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-13T09:35:57.526Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2026/04/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "BIND 9",
          "vendor": "ISC",
          "versions": [
            {
              "lessThanOrEqual": "9.16.50",
              "status": "affected",
              "version": "9.11.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.18.46",
              "status": "affected",
              "version": "9.18.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.20.20",
              "status": "affected",
              "version": "9.20.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.21.19",
              "status": "affected",
              "version": "9.21.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.16.50-S1",
              "status": "affected",
              "version": "9.11.3-S1",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.18.46-S1",
              "status": "affected",
              "version": "9.18.11-S1",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.20.20-S1",
              "status": "affected",
              "version": "9.20.9-S1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.16.50",
                  "versionStartIncluding": "9.11.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.18.46",
                  "versionStartIncluding": "9.18.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.20.20",
                  "versionStartIncluding": "9.20.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.21.19",
                  "versionStartIncluding": "9.21.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.16.50-S1",
                  "versionStartIncluding": "9.11.3-S1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.18.46-S1",
                  "versionStartIncluding": "9.18.11-S1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:isc:bind:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "9.20.20-S1",
                  "versionStartIncluding": "9.20.9-S1",
                  "vulnerable": true
                }
              ],
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "ISC would like to thank Samy Medjahed/Ap4sh for bringing this vulnerability to our attention."
        }
      ],
      "datePublic": "2026-03-25T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries).\nThis issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "We are not aware of any active exploits."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "If this issue is encountered, the resolver may experience excessive CPU consumption and a sharp decrease in the number of queries per second that it can handle."
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-606",
              "description": "CWE-606 Unchecked Input for Loop Condition",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-25T13:25:19.802Z",
        "orgId": "404fd4d2-a609-4245-b543-2c944a302a22",
        "shortName": "isc"
      },
      "references": [
        {
          "name": "CVE-2026-1519",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://kb.isc.org/docs/cve-2026-1519"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://downloads.isc.org/isc/bind9/9.18.47"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://downloads.isc.org/isc/bind9/9.20.21"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://downloads.isc.org/isc/bind9/9.21.20"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to the patched release most closely related to your current version of BIND 9: 9.18.47, 9.20.21, 9.21.20, 9.18.47-S1, or 9.20.21-S1."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Excessive NSEC3 iterations cause high CPU load during insecure delegation validation",
      "workarounds": [
        {
          "lang": "en",
          "value": "This is not recommended, but disabling DNSSEC (`dnssec-validation no;`) prevents exploitation of this issue."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22",
    "assignerShortName": "isc",
    "cveId": "CVE-2026-1519",
    "datePublished": "2026-03-25T13:25:19.802Z",
    "dateReserved": "2026-01-28T09:54:49.514Z",
    "dateUpdated": "2026-04-13T09:35:57.526Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-8677 (GCVE-0-2025-8677)

Vulnerability from cvelistv5 – Published: 2025-10-22 15:43 – Updated: 2025-11-04 21:15

Title

Resource exhaustion via malformed DNSKEY handling

Summary

Querying for records within a specially crafted zone containing certain malformed DNSKEY records can lead to CPU exhaustion. This issue affects BIND 9 versions 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-405 - Asymmetric Resource Consumption (Amplification)

Assigner

isc

References

URL

Tags

https://kb.isc.org/docs/cve-2025-8677

vendor-advisory

Impacted products

	Vendor	Product	Version
	ISC	BIND 9	Affected: 9.18.0 , ≤ 9.18.39 (custom) Affected: 9.20.0 , ≤ 9.20.13 (custom) Affected: 9.21.0 , ≤ 9.21.12 (custom) Affected: 9.18.11-S1 , ≤ 9.18.39-S1 (custom) Affected: 9.20.9-S1 , ≤ 9.20.13-S1 (custom)

Date Public ?

2025-10-22 00:00

Credits

ISC would like to thank Zuyao Xu and Xiang Li from the All-in-One Security and Privacy Laboratory at Nankai University for bringing this vulnerability to our attention.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-8677",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-22T17:29:14.290863Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-22T17:29:39.128Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T21:15:09.556Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/10/22/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "BIND 9",
          "vendor": "ISC",
          "versions": [
            {
              "lessThanOrEqual": "9.18.39",
              "status": "affected",
              "version": "9.18.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.20.13",
              "status": "affected",
              "version": "9.20.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.21.12",
              "status": "affected",
              "version": "9.21.0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.18.39-S1",
              "status": "affected",
              "version": "9.18.11-S1",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.20.13-S1",
              "status": "affected",
              "version": "9.20.9-S1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "ISC would like to thank Zuyao Xu and Xiang Li from the All-in-One Security and Privacy Laboratory at Nankai University for bringing this vulnerability to our attention."
        }
      ],
      "datePublic": "2025-10-22T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Querying for records within a specially crafted zone containing certain malformed DNSKEY records can lead to CPU exhaustion.\nThis issue affects BIND 9 versions 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "We are not aware of any active exploits."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "An attacker could overwhelm the server, significantly impacting performance and leading to denial of service for legitimate clients."
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-405",
              "description": "CWE-405 Asymmetric Resource Consumption (Amplification)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-22T15:43:10.369Z",
        "orgId": "404fd4d2-a609-4245-b543-2c944a302a22",
        "shortName": "isc"
      },
      "references": [
        {
          "name": "CVE-2025-8677",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://kb.isc.org/docs/cve-2025-8677"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to the patched release most closely related to your current version of BIND 9: 9.18.41, 9.20.15, 9.21.14, 9.18.41-S1, or 9.20.15-S1."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Resource exhaustion via malformed DNSKEY handling",
      "workarounds": [
        {
          "lang": "en",
          "value": "No workarounds known."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22",
    "assignerShortName": "isc",
    "cveId": "CVE-2025-8677",
    "datePublished": "2025-10-22T15:43:10.369Z",
    "dateReserved": "2025-08-06T17:32:34.755Z",
    "dateUpdated": "2025-11-04T21:15:09.556Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:6935

CVE-2026-3119 (GCVE-0-2026-3119)

CVE-2026-3104 (GCVE-0-2026-3104)

CVE-2025-13878 (GCVE-0-2025-13878)

CVE-2025-40780 (GCVE-0-2025-40780)

CVE-2026-3591 (GCVE-0-2026-3591)

CVE-2025-40778 (GCVE-0-2025-40778)

CVE-2026-1519 (GCVE-0-2026-1519)

CVE-2025-8677 (GCVE-0-2025-8677)

Tags

Sightings

Nomenclature