CVE-2022-2906 is a high-severity vulnerability affecting ISC BIND9 versions 9.18.0 through 9.18.6 and 9.19.0 through 9.19.4 (development branch). The flaw arises due to changes between OpenSSL 1.x and OpenSSL 3.0 that expose a memory leak in the named DNS server process when handling TKEY records in Diffie-Hellman mode with OpenSSL 3.0.0 or later. Specifically, the vulnerability is a small memory leak during key processing, which an attacker can exploit by repeatedly sending crafted TKEY requests. Over time, this leak gradually consumes available memory resources, eventually causing the named process to crash due to resource exhaustion. Although the service can be restarted, the attacker can repeatedly trigger the leak to cause a denial of service (DoS) condition. The vulnerability is classified under CWE-401 (Improper Release of Memory), indicating a failure to properly manage memory allocation and deallocation. The CVSS v3.1 base score is 7.5, reflecting a high severity with network attack vector, low attack complexity, no privileges or user interaction required, and impact limited to availability (no confidentiality or integrity impact). No known exploits are currently reported in the wild, but the vulnerability's nature makes it a plausible target for DoS attacks against DNS infrastructure running vulnerable BIND versions with OpenSSL 3.0 or later. This issue is particularly relevant for organizations relying on BIND9 as their authoritative or recursive DNS server, especially where TKEY Diffie-Hellman key exchanges are enabled or used. The absence of patches at the time of reporting necessitates prompt attention to updates or mitigations once available.

For European organizations, the impact of CVE-2022-2906 primarily manifests as a denial of service against DNS infrastructure. DNS is a critical service underpinning almost all network communications and internet services. A successful exploitation could cause DNS server crashes, leading to service outages, degraded network performance, or loss of domain resolution capabilities. This can disrupt internal and external communications, web services, email, and other dependent applications. Organizations with public-facing DNS servers or those providing DNS services to customers are at higher risk of reputational damage and operational disruption. Additionally, DNS outages can have cascading effects on security monitoring, incident response, and other dependent systems. Since the vulnerability requires no authentication or user interaction and can be exploited remotely over the network, it poses a significant risk to internet-facing DNS servers. European critical infrastructure sectors such as finance, telecommunications, government, and energy, which rely heavily on stable DNS services, could experience operational interruptions. However, the impact is limited to availability; there is no direct confidentiality or integrity compromise. The gradual nature of the memory leak means attacks may require sustained effort but can be automated. Organizations using OpenSSL 3.0 with vulnerable BIND versions are specifically at risk, which may be more common in environments adopting newer OpenSSL releases.

1. Immediate mitigation involves upgrading BIND9 to versions 9.18.7 or later and 9.19.5 or later once patches are released by ISC, as these versions address the memory leak issue. 2. Until patches are available, consider disabling TKEY Diffie-Hellman key exchanges if feasible, to prevent triggering the vulnerable code path. 3. Monitor DNS server memory usage and named process stability closely to detect abnormal memory growth or crashes indicative of exploitation attempts. 4. Implement network-level protections such as rate limiting or filtering of TKEY DNS queries from untrusted sources to reduce attack surface. 5. Employ DNS firewalling or intrusion detection systems capable of identifying anomalous DNS traffic patterns associated with exploitation attempts. 6. Maintain updated inventories of DNS server software versions and OpenSSL dependencies to ensure timely patch management. 7. For critical DNS infrastructure, consider deploying redundant DNS servers with failover capabilities to minimize service disruption during attacks or maintenance. 8. Engage with ISC security advisories and community channels to receive timely updates on patches and mitigation guidance.