BIND
BIND (Berkeley Internet Name Domain) is the Internet Systems Consortium DNS server and the most widely deployed authoritative and recursive DNS implementation. It is tracked as isc:bind in NVD with one of the largest CVE histories in the coverage set, spanning denial-of-service via memory exhaustion, cache poisoning, and assertion failures in response processing.
Querying BIND
isc_bind9.18.0, 9.20.4, 9.16.23curl "https://api.attestd.io/v1/check?product=isc_bind&version=9.18.0" \
-H "Authorization: Bearer $ATTESTD_KEY"BIND 9.18.0 is affected by 14 CVEs across the 9.18.x line, including memory exhaustion and cache poisoning issues. The response shows risk_state: "high" because multiple CVEs allow unauthenticated remote exploitation. The ISC 9.18.x series is the extended support branch; 9.18.1 is the first patch release.
{
"product": "isc_bind",
"version": "9.18.0",
"supported": true,
"risk_state": "high",
"risk_factors": [
"remote_code_execution",
"no_authentication_required",
"internet_exposed_service",
"patch_available"
],
"actively_exploited": false,
"remote_exploitable": true,
"authentication_required": false,
"patch_available": true,
"fixed_version": "9.18.1",
"confidence": 0.85,
"cve_ids": [
"CVE-2021-25220", "CVE-2022-0396", "CVE-2022-0635",
"CVE-2022-0667", "CVE-2022-1183", "CVE-2022-3094",
"CVE-2022-3736", "CVE-2022-3924", "CVE-2023-2828",
"CVE-2023-3341", "CVE-2023-4236", "CVE-2023-4408",
"CVE-2023-5517", "CVE-2023-5679"
],
"last_updated": "2026-06-14T17:00:42Z",
"supply_chain": null
}BIND 9.18.28 is a current patch release in the extended support branch and has no unpatched CVEs in the 9.18 range as of the last synthesis run.
curl "https://api.attestd.io/v1/check?product=isc_bind&version=9.18.28" \
-H "Authorization: Bearer $ATTESTD_KEY"CVE history
BIND CVEs cluster in three areas: memory exhaustion via crafted DNS queries, cache poisoning via forwarder configurations, and control channel stack exhaustion. The 9.11 line is end-of-life with many unpatched issues; the 9.18 extended support branch receives active patches.
| CVE | Description | Affects | CVSS |
|---|---|---|---|
CVE-2021-25220 | Cache poisoning via forwarder configurations. A resolver configured to forward queries accepts incorrect responses from forwarders and caches them, potentially redirecting clients to attacker-controlled addresses. | 9.0.0 to 9.18.0 | 6.8 |
CVE-2022-3094 | Memory exhaustion via a flood of dynamic DNS update messages. An attacker can exhaust server memory by sending large volumes of UPDATE messages to a zone, causing denial of service. | 9.0.0 to 9.18.9 | 7.5 |
CVE-2022-3736 | Named crashes with an assertion failure when a RRSIG is encountered in the stale cache where the RRSIG record is associated with a stale data record. Causes denial of service. | 9.16.11 to 9.18.9 | 7.5 |
CVE-2023-2828 | Memory exhaustion in named when processing RRset data during cache management. Named can be made to consume excessive memory by an attacker sending specially crafted queries. | 9.0.0 to 9.18.17 | 7.5 |
CVE-2023-3341 | Stack exhaustion in named when processing large control channel messages. An attacker with access to the control channel can crash named by sending a specially crafted large message. | 9.0.0 to 9.18.18 | 7.5 |
CVE-2023-4408 | CPU exhaustion via a crafted DNS message with many DNS names during processing of DNS message parsing. Allows unauthenticated remote denial of service by consuming excessive CPU resources. | 9.0.0 to 9.18.21 | 7.5 |
KEV = CISA Known Exploited Vulnerabilities catalog. Active exploitation confirmed.
Single ISC namespace
NVD tracks BIND under a single CPE vendor/product namespace. All versions from 4.x through the current 9.20 series are in the same namespace, providing complete historical coverage in a single query:
cpe:2.3:a:isc:bindall versions, 4.x through 9.20.xAttestd normalizes version strings across the 9.x branches (9.11, 9.16, 9.18, 9.20) for accurate range comparison against NVD CPE records.