BIND 9 Software Vulnerability Matrix

BIND 9 Software Vulnerability Matrix
BIND 9 Software Vulnerability Matrix
Updated on
Apr 1, 2026
Published on Aug 8, 2018
12 minute(s) read
Suzanne Goldlust
Cathy Almond
Peter Davies
DF
Doug Freed
Ben Scott
EF
Everett Fulton
Prev
Next
The BIND 9 Software Vulnerability Matrix (previously know as the "BIND 9 Security Vulnerability Matrix") is a tool to help DNS operators understand the current security risk for a given version of BIND. It has two parts:
The first part is a table listing all of the vulnerabilities covered by this page. The first column is a reference number for use in the tables in the second part. The second column is the
CVE
(Common Vulnerabilities and Exposure) number for the vulnerability, linked to its page on
cve.mitre.org
. The third column is a short description of the vulnerability, linked (where possible) to the article in this Knowledgebase on the vulnerability.
The second part is a table for each branch of BIND, listing all of the releases in that branch along the side and vulnerabilities along the top. If a vulnerability number is less than the lowest column heading, that branch does not have any versions with it. If a vulnerability number is greater than the highest column heading, that branch has not been tested and should be assumed to be vulnerable.
For example, if you use the top table to look up CVE-
2024-0760
you will see that it cross references to #152. You can look for column #152 in the lower tables to see which versions are vulnerable. If you were still running BIND 9.18.27 you would know to upgrade.
We do not generally list alpha, beta or release candidate (RC) versions here and recommend that you use only released software in any environment in which security could be an issue.
This page
explains our version numbering system.
Vulnerability information for EOL (End of Life) versions of BIND 9 (9.0 through 9.16 and below) are included only for vulnerabilities discovered before - or in some cases shortly after - the EOL date.
These versions are all known to be affected by some vulnerabilities discovered after their EOL date.
@(Warning)(Using obsolete versions of BIND)(We recommend that you not use obsolete versions of any ISC software; it was updated for a reason. Listings of vulnerabilities affecting obsolete versions of BIND have been split into articles grouped by branch:
9.0
9.1
9.2
9.3
9.4/9.4-ESV
9.5
9.6/9.6-ESV
9.7
9.8
9.9
9.9-S
9.10
9.10-S
9.11
9.11-S
9.12
9.13
9.14
9.15
and
9.16
.)
Listing of Vulnerabilities affecting current branches of BIND
CVE Number
Short Description
168
2026-3591
A stack use-after-return flaw in SIG(0) handling code may enable ACL bypass
167
2026-3119
Authenticated query containing a TKEY record may cause named to terminate unexpectedly
166
2026-3104
Memory leak in code preparing DNSSEC proofs of non-existence
165
2026-1519
Excessive NSEC3 iterations cause high CPU load during insecure delegation validation
164
2025-13878
Malformed BRID/HHIT records
163
2025-40780
Cache poisoning due to weak PRNG
162
2025-8677
Resource exhaustion via malformed DNSKEY handling
161
2025-40778
Cache poisoning attacks with unsolicited RRs
160
2025-40777
A possible assertion failure when using the 'stale-answer-client-timeout 0' option
159
2025-40776
Birthday Attack against Resolvers supporting ECS
158
2025-40775
DNS message with invalid TSIG causes an assertion failure
157
2024-12705
DNS-over-HTTPS implementation suffers from multiple issues under heavy query load
156
2024-11187
Many records in the additional section cause CPU exhaustion
155
2024-4076
Assertion failure when serving both stale cache data and authoritative zone content
154
2024-1975
SIG(0) can be used to exhaust CPU resources
153
2024-1737
BIND’s database will be slow if a very large number of RRs exist at the same name
152
2024-0760
A flood of DNS messages over TCP may make the server unstable
151
2023-50868
Preparing an NSEC3 closest encloser proof can exhaust CPU resources
150
2023-50387
KeyTrap - Extreme CPU consumption in DNSSEC validator
149
2023-6516
Specific recursive query patterns may lead to an out-of-memory condition
148
2023-5680
Cleaning an ECS-enabled cache may cause excessive CPU load
147
2023-5679
Enabling both DNS64 and serve-stale may cause an assertion failure during recursive resolution
146
2023-5517
Querying RFC 1918 reverse zones may cause an assertion failure when "nxdomain-redirect" is enabled
145
2023-4408
Parsing large DNS messages may cause excessive CPU load
144
2023-4236
named may terminate unexpectedly under high DNS-over-TLS query load
143
2023-3341
A stack exhaustion flaw in control channel code may cause named to terminate unexpectedly
142
2023-2911
Exceeding the recursive-clients quota may cause named to terminate unexpectedly when stale-answer-client-timeout is set to 0
141
2023-2829
Malformed NSEC records can cause named to terminate unexpectedly when synth-from-dnssec is enabled
140
2023-2828
named's configured cache size limit can be significantly exceeded
139
2022-3924
named configured to answer from stale cache may terminate unexpectedly at recursive-clients soft quota
138
2022-3736
named configured to answer from stale cache may terminate unexpectedly while processing RRSIG queries
137
2022-3488
BIND Supported Preview Edition named may terminate unexpectedly when processing ECS options in repeated responses to iterative queries
136
2022-3094
An UPDATE message flood may cause named to exhaust all available memory
135
2022-38178
Memory leaks in EdDSA DNSSEC verification code
134
2022-38177
Memory leak in ECDSA DNSSEC verification code
133
2022-3080
BIND 9 resolvers configured to answer from stale cache with zero stale-answer-timeout may terminate unexpectedly
132
2022-2906
Memory leaks in code handling Diffie-Hellman key exchange via TKEY RRs (OpenSSL 3.0.0+ only)
131
2022-2881
Buffer overread in statistics channel code
130
2022-2795
Processing large delegations may severely degrade resolver performance
129
2022-1183
Destroying TLS session early triggers assertion failure
128
2022-0667
Assertion failure on delayed DS lookup
127
2022-0635
DNAME insist with synth-from-dnssec enabled
126
2022-0396
DoS from specifically crafted TCP packets
125
2021-25220
DNS forwarders - cache poisoning vulnerability
@(Info)(Why don't the reference numbers begin at 1?)(Our reference numbering started with BIND 8. We have since separated the information for BIND 8 and also obsolete branches of BIND 9. To reduce the possibility of confusion when referring to the individual pages we have chosen to maintain uniform numbering across all of them matching the historic numbering, including gaps where some reports affected only BIND 8. As major branches of BIND have reached EOL (End of Life), the lowest numbered vulnerability affecting our current versions has increased. Issues only affecting obsolete branches of BIND have been moved to a separate section later in this KB.)
Why are some versions of BIND crossed out?
This BIND Security Vulnerability Matrix includes some versions of BIND that were built and then withdrawn due to regressions discovered late in the release process or, in some instances, subsequent to public release.
BIND 9.20
BIND 9.20 is the newer stable branch of BIND.
ver/CVE
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
9.20.22
9.20.21
9.20.20
9.20.19
9.20.18
9.20.17
9.20.16
9.20.15
9.20.14
9.20.13
9.20.12
9.20.11
9.20.10
9.20.9
9.20.8
9.20.7
9.20.6
9.20.5
9.20.4
9.20.3
9.20.2
9.20.1
9.20.0
BIND 9.20 Supported Preview edition
If you'd like more information on our product support or about our BIND Subscription version, please visit https://www.isc.org/bind.
ver/CVE
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
9.20.22-S1
9.20.21-S1
9.20.20-S1
9.20.19-S1
9.20.18-S1
9.20.17-S1
9.20.16-S1
9.20.15-S1
9.20.14-S1
9.20.13-S1
9.20.12-S1
9.20.11-S1
9.20.10-S1
9.20.9-S1
BIND 9.18
BIND 9.18 is the older stable branch of BIND.
ver/CVE
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
9.18.48
9.18.47
9.18.46
9.18.45
9.18.44
9.18.43
9.18.42
9.18.41
9.18.40
9.18.39
9.18.38
9.18.37
9.18.36
9.18.35
9.18.34
9.18.33
9.18.32
9.18.31
9.18.30
9.18.29
9.18.28
9.18.27
9.18.26
9.18.25
9.18.24
9.18.23
9.18.22
9.18.21
9.18.20
9.18.19
9.18.18
9.18.17
9.18.16
9.18.15
9.18.14
9.18.13
9.18.12
9.18.11
9.18.10
9.18.9
9.18.8
9.18.7
9.18.6
9.18.5
9.18.4
9.18.3
9.18.2
9.18.1
9.18.0
BIND 9.18 Supported Preview edition
If you'd like more information on our product support or about our BIND Subscription version, please visit
ver/CVE
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
9.18.48-S1
9.18.47-S1
9.18.46-S1
9.18.45-S1
9.18.44-S1
9.18.43-S1
9.18.42-S1
9.18.41-S1
9.18.40-S1
9.18.39-S1
9.18.38-S1
9.18.37-S1
9.18.36-S1
9.18.35-S1
9.18.34-S1
9.18.33-S1
9.18.32-S1
9.18.31-S1
9.18.30-S1
9.18.29-S1
9.18.28-S1
9.18.27-S1
9.18.26-S1
9.18.25-S1
9.18.24-S1
9.18.23-S2
9.18.23-S1
9.18.22-S1
9.18.21-S1
9.18.20-S1
9.18.19-S1
9.18.18-S1
9.18.17-S1
9.18.16-S1
9.18.15-S1
9.18.14-S1
9.18.13-S1
9.18.12-S1
9.18.11-S1
Related articles
ISC CVSS Scoring Guidelines
About ISC
ISC Software Defect and Vulnerability Disclosure Policy
About ISC
ISC's Software Support Policy and Version Numbering
About ISC
Tags
bind 9
BIND 9-S
security
Security Vulnerability Matrix
vulnerability