ISC BIND 9
Easy fix4 remedies
cpe:2.3:a:isc:bind:*:*:*:*:*:*:*
Easy fix4 remedies
- >= 9.20.0, <= 9.20.20
- >= 9.21.0, <= 9.21.19
- >= 9.20.9-S1, <= 9.20.20-S1
BIND 9 Denial-of-Service Vulnerability via Authenticated TKEY Queries
Vulnerability
Patched
A denial-of-service vulnerability has been identified in BIND 9's DNS server implementation. Under certain conditions, the 'named' process may crash while handling a properly signed query that includes a TKEY record. This issue arises only when the incoming request contains a valid transaction signature (TSIG) from a key specified in the 'named' configuration. The vulnerability affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. In contrast, BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are not affected.
Impact
Exploiting this vulnerability causes the 'named' process to terminate unexpectedly, disrupting DNS service. This issue impacts both authoritative servers and resolvers.
Remediation
Users can upgrade to BIND 9.20.21, 9.21.20, or 9.20.21-S1 to address this vulnerability.
Added: Mar 25, 2026, 2:22 PM
Updated: Mar 25, 2026, 2:22 PM
Vulnerability Rating
Custom Algorithm
spread
7.3impact
2.5exploitability
5.3remediation
8.3relevance
4.7threat
3.2urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.