CVE-2024-12705

Summary

Clients using DNS-over-HTTPS (DoH) can exhaust a DNS resolver's CPU and/or memory by flooding it with crafted valid or invalid HTTP/2 traffic. This issue affects BIND 9 versions 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, and 9.18.11-S1 through 9.18.32-S1.

Affected Software

VendorProductVersion RangeStatus
ISCBIND 99.18.0 <= 9.18.32affected
ISCBIND 99.20.0 <= 9.20.4affected
ISCBIND 99.21.0 <= 9.21.3affected
ISCBIND 99.18.11-S1 <= 9.18.32-S1affected

Weaknesses

  • CWE-770: CWE-770 Allocation of Resources Without Limits or Throttling

Workarounds

The issue affects only the DNS-over-HTTPS protocol and does not apply to instances where DoH is not enabled.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

CVE Program Container

Additional References

References