PatchSiren

ISC CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH ISC CVE published 2026-05-20

CVE-2026-5947

CVE-2026-5947 is a high-severity denial-of-service issue in affected BIND 9 releases. According to ISC’s advisory referenced by NVD, a race condition during SIG(0) signature validation can create a brief use-after-free window if the recursive-clients limit is reached and the same DNS message is discarded while validation is still in progress. The issue affects BIND 9 9.20.0 through 9.20.22, 9.21.0 through [truncated]

HIGH ISC CVE published 2026-05-20

CVE-2026-5946

CVE-2026-5946 is a high-severity availability issue in BIND 9's named process. According to the NVD record and ISC references, specially crafted DNS traffic using non-IN classes (for example, CHAOS, HESIOD, ANY, or NONE) can reach code paths such as recursion, dynamic updates, NOTIFY handling, or IN-specific record processing in non-IN data and trigger assertion failures.

MEDIUM ISC CVE published 2026-05-20

CVE-2026-3592

CVE-2026-3592 is an availability issue in BIND recursive resolvers. According to NVD and ISC references, a victim resolver that queries a specially crafted zone can consume disproportionate resources, creating an amplified resource consumption or exhaustion condition. The published affected range spans multiple BIND 9 branches, including 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20. [truncated]

HIGH ISC CVE published 2026-05-20

CVE-2026-3039

CVE-2026-3039 is a denial-of-service vulnerability in ISC BIND when a server is configured to use TKEY-based authentication via GSS-API tokens. Maliciously constructed packets can trigger excessive memory consumption, which is particularly relevant in Active Directory-integrated DNS and Kerberos-secured DNS environments. NVD lists the issue as CVSS 3.1 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

MEDIUM ISC CVE published 2026-03-25

CVE-2026-3591

CVE-2026-3591 is a vulnerability in ISC BIND’s named server when processing DNS queries signed with SIG(0). A specially crafted request can trigger a use-after-return that may cause an ACL to mis-match an IP address. The practical risk is greatest in default-allow ACL deployments that only deny specific IPs, because the bug may let traffic through that should have been blocked. ISC has provided fixed rele [truncated]

MEDIUM ISC CVE published 2026-03-25

CVE-2026-3119

CVE-2026-3119 describes an availability issue in ISC BIND 9 where `named` may crash while processing a correctly signed query containing a TKEY record. The affected code path is only reachable when the incoming request carries a valid TSIG from a key declared in the `named` configuration. ISC rates the issue as medium severity, and the vendor has published fixes for the affected release branches.

HIGH ISC CVE published 2026-03-25

CVE-2026-3104

CVE-2026-3104 is a network-reachable denial-of-service issue in ISC BIND 9 where querying a specially crafted domain can cause a memory leak in the resolver. ISC and NVD identify affected branches as 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. ISC’s referenced fixes are 9.20.21 and 9.21.20, and the vendor also states that 9.18.0 through 9.18.46 and 9.18.11-S1 through [truncated]

HIGH ISC CVE published 2026-03-25

CVE-2026-1519

CVE-2026-1519 is a high-severity availability issue in ISC BIND. When a resolver is performing DNSSEC validation and encounters a maliciously crafted zone, it may consume excessive CPU. The issue is mainly relevant to recursive resolver functionality; authoritative-only servers are generally unaffected, though ISC notes there are cases where authoritative servers may also make recursive queries. The CVE w [truncated]

HIGH ISC CVE published 2026-03-25

CVE-2026-3608

CVE-2026-3608 is a high-severity vulnerability in the Kea DHCP server, which can be exploited by sending a maliciously crafted message to the kea-ctrl-agent, kea-dhcp-ddns, kea-dhcp4, or kea-dhcp6 daemons. This can cause the receiving daemon to exit with a stack overflow error. The vulnerability affects Kea versions 2.6.0 through 2.6.4 and 3.0.0 through 3.0.2. Users of affected versions should update to a [truncated]

HIGH ISC CVE published 2026-01-21

CVE-2025-13878

CVE-2025-13878 is a HIGH severity vulnerability affecting BIND 9, a popular DNS server software. The vulnerability causes the `named` process to terminate unexpectedly when it encounters malformed BRID/HHIT records. This issue impacts multiple BIND 9 versions, including 9.18.40 through 9.18.43, 9.20.13 through 9.20.17, 9.21.12 through 9.21.16, and their corresponding S1 releases. The vulnerability has a C [truncated]

MEDIUM ISC CVE published 2025-04-07

CVE-2023-2828

CVE-2023-2828 is a denial-of-service issue in ABB M2M Gateway ARM600 and ABB M2M Gateway SW. According to the supplied CISA/ABB advisory, querying the resolver for specific RRsets in a certain order can make the configured max-cache-size limit be significantly exceeded, which may exhaust host memory and disrupt the named service. ABB also states that ARM600 is not dependent on DNS by default, and recommen [truncated]

HIGH ISC CVE published 2025-04-07

CVE-2022-38178

CVE-2022-38178 is a high-severity availability issue in ABB M2M Gateway products. According to the CISA CSAF advisory, an attacker who can spoof the target resolver and send responses with a malformed EdDSA signature can trigger a small memory leak. Repeated triggering may gradually exhaust memory until named crashes for lack of resources. The supplied advisory also notes a practical mitigation: if name s [truncated]

HIGH ISC CVE published 2025-04-07

CVE-2022-38177

CVE-2022-38177 is an availability-focused vulnerability in ABB M2M Gateway products. According to the CISA CSAF advisory, an attacker who can spoof the target resolver with malformed ECDSA signature responses can trigger a small memory leak; repeated abuse may gradually consume memory until named crashes from lack of resources. The advisory published on 2025-04-07 identifies affected ABB M2M Gateway ARM60 [truncated]

MEDIUM ISC CVE published 2025-04-07

CVE-2021-25220

CVE-2021-25220 is a DNS trust issue in ABB M2M Gateway ARM600 and ABB M2M Gateway SW. According to the CISA/ABB advisory, when forwarders are used, bogus NS records supplied by or through those forwarders may be cached and later reused by named if it needs to recurse, which can lead to incorrect DNS answers. The advisory says this can result in DNS cache poisoning and may cause denial of service or inform [truncated]

HIGH ISC CVE published 2024-11-12

CVE-2023-6516

CVE-2023-6516 is a HIGH severity vulnerability (CVSS 7.5) affecting BIND 9 recursive resolvers, specifically versions 9.16.0 through 9.16.45 and 9.16.8-S1 through 9.16.45-S1. The vulnerability stems from an asynchronous cache cleanup mechanism in the `named` daemon that can be overwhelmed by specific query patterns, causing an unbounded growth of queued cleanup events and allowing memory consumption to ex [truncated]

HIGH ISC CVE published 2024-11-12

CVE-2023-5680

A vulnerability in BIND 9 DNS server software can cause the `named` process to crash via assertion failure when DNS64 and serve-stale features are both enabled during recursive resolution. This denial-of-service condition affects multiple BIND 9 version branches and has been identified as affecting Siemens SINEC INS industrial network management software, which incorporates the vulnerable BIND component. [truncated]

HIGH ISC CVE published 2024-11-12

CVE-2023-5679

A vulnerability in BIND 9 DNS server software, where a bad interaction between DNS64 and serve-stale features can cause the `named` daemon to crash with an assertion failure during recursive resolution. This affects multiple BIND 9 version branches and has been identified as affecting Siemens SINEC INS industrial network management software, which incorporates the vulnerable BIND 9 components. The issue r [truncated]

HIGH ISC CVE published 2024-11-12

CVE-2023-5517

A vulnerability in BIND 9's query-handling code can cause the `named` DNS server to exit prematurely with an assertion failure. The flaw occurs when `nxdomain-redirect <domain>;` is configured and the resolver receives a PTR query for an RFC 1918 address that would normally result in an authoritative NXDOMAIN response. This denial-of-service condition affects multiple BIND 9 versions and has been identifi [truncated]

HIGH ISC CVE published 2024-11-12

CVE-2023-4408

CVE-2023-4408 is a HIGH severity vulnerability (CVSS 7.5) in BIND 9 DNS message parsing code that can cause excessive CPU load through crafted queries and responses. The flaw affects both authoritative servers and recursive resolvers. While this is fundamentally a BIND 9 issue, Siemens SINEC INS is affected as it incorporates vulnerable BIND 9 components. The vulnerability was published on November 12, 20 [truncated]

HIGH ISC CVE published 2024-11-12

CVE-2023-4236

A vulnerability in BIND 9's DNS-over-TLS implementation can cause the `named` daemon to terminate unexpectedly due to an assertion failure when internal data structures are incorrectly reused under significant query load. This denial-of-service condition affects BIND 9 versions 9.18.0 through 9.18.18 and 9.18.11-S1 through 9.18.18-S1. Siemens SINEC INS, which incorporates affected BIND components, is impa [truncated]

HIGH ISC CVE published 2024-11-12

CVE-2023-3341

CVE-2023-3341 is a high-severity denial-of-service issue affecting ABB M2M Gateway products, including ARM600 firmware versions 4.1.2 through 5.0.3 and ABB M2M Gateway SW versions 5.0.1 through 5.0.3. According to the CISA advisory, a remote attacker with network access to the control channel's configured TCP port can trigger recursive processing in named, exhaust stack memory, and cause the service to te [truncated]