CVE-2023-4236

Summary

A flaw in the networking code handling DNS-over-TLS queries may cause named to terminate unexpectedly due to an assertion failure. This happens when internal data structures are incorrectly reused under significant DNS-over-TLS query load. This issue affects BIND 9 versions 9.18.0 through 9.18.18 and 9.18.11-S1 through 9.18.18-S1.

Affected Software

VendorProductVersion RangeStatus
ISCBIND 99.18.0 <= 9.18.18affected
ISCBIND 99.18.11-S1 <= 9.18.18-S1affected

Weaknesses

Workarounds

Disabling listening for DNS-over-TLS connections (by removing listen-on ... tls ... { ... }; statements from the configuration) prevents the affected code paths from being taken, rendering exploitation impossible. However, there is no workaround for this flaw if DNS-over-TLS support is required.

ADP Enrichment

CVE Program Container

Additional References

References