If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries). This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.
Weakness
The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Bind | Isc | 9.11.0 (including) | 9.16.50 (including) |
| Bind | Isc | 9.18.0 (including) | 9.18.47 (excluding) |
| Bind | Isc | 9.20.0 (including) | 9.20.21 (excluding) |
| Bind | Isc | 9.21.0 (including) | 9.21.20 (excluding) |
| Red Hat Enterprise Linux 10 | RedHat | bind-32:9.18.33-10.el10_1.3 | * |
| Red Hat Enterprise Linux 10.0 Extended Update Support | RedHat | bind-32:9.18.33-4.el10_0.3 | * |
| Red Hat Enterprise Linux 6 Extended Lifecycle Support - EXTENSION | RedHat | bind-32:9.8.2-0.68.rc1.el6_10.18 | * |
| Red Hat Enterprise Linux 7 Extended Lifecycle Support | RedHat | bind-32:9.11.4-26.P2.el7_9.20 | * |
| Red Hat Enterprise Linux 8 | RedHat | bind9.16-32:9.16.23-0.22.el8_10.5 | * |
| Red Hat Enterprise Linux 8 | RedHat | bind-32:9.11.36-16.el8_10.7 | * |
| Red Hat Enterprise Linux 8 | RedHat | bind-32:9.11.36-16.el8_10.7 | * |
| Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support | RedHat | bind-32:9.11.26-4.el8_4.9 | * |
| Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On | RedHat | bind-32:9.11.26-4.el8_4.9 | * |
| Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support | RedHat | bind-32:9.11.36-3.el8_6.12 | * |
| Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support | RedHat | bind9.16-32:9.16.23-0.7.el8_6.10 | * |
| Red Hat Enterprise Linux 8.6 Extended Update Support Long-Life Add-On | RedHat | bind9.16-32:9.16.23-0.7.el8_6.10 | * |
| Red Hat Enterprise Linux 8.6 Telecommunications Update Service | RedHat | bind-32:9.11.36-3.el8_6.12 | * |
| Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions | RedHat | bind-32:9.11.36-3.el8_6.12 | * |
| Red Hat Enterprise Linux 8.8 Telecommunications Update Service | RedHat | bind-32:9.11.36-8.el8_8.9 | * |
| Red Hat Enterprise Linux 8.8 Telecommunications Update Service | RedHat | bind9.16-32:9.16.23-0.14.el8_8.8 | * |
| Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions | RedHat | bind-32:9.11.36-8.el8_8.9 | * |
| Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions | RedHat | bind9.16-32:9.16.23-0.14.el8_8.8 | * |
| Red Hat Enterprise Linux 9 | RedHat | bind9.18-32:9.18.29-5.el9_7.4 | * |
| Red Hat Enterprise Linux 9 | RedHat | bind-32:9.16.23-34.el9_7.2 | * |
| Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions | RedHat | bind-32:9.16.23-11.el9_2.10 | * |
| Red Hat Enterprise Linux 9.4 Update Services for SAP Solutions | RedHat | bind-32:9.16.23-18.el9_4.11 | * |
| Red Hat Enterprise Linux 9.6 Extended Update Support | RedHat | bind-32:9.16.23-31.el9_6.3 | * |
| Red Hat Enterprise Linux 9.6 Extended Update Support | RedHat | bind9.18-32:9.18.29-4.el9_6.3 | * |
| Red Hat Hardened Images | RedHat | bind-main-9.18.48-1.hum1 | * |
| Bind9 | Ubuntu | esm-infra/xenial | * |
| Bind9 | Ubuntu | jammy | * |
| Bind9 | Ubuntu | noble | * |
| Bind9 | Ubuntu | questing | * |
| Bind9 | Ubuntu | upstream | * |