CVE-2022-38178: In BIND 9.9.12 -> 9.9.13, 9.10.7 -> 9.10.8, 9.11.3 -> 9.16.32, 9.18.0 -> 9.18.6, versions 9.11.4-S1 -> 9.11.37-S1, 9.16.8-S1 -> 9.16.32-S1 of the BIND Supported Preview Edition, and versions 9.19.0 -> 9.19.4 of the BIND 9.19 development branch, the DNSSEC verification code for the EdDSA algorithm leaks memory when there is a signature length mismatch. in ISC BIND9
By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.
AI Analysis
Technical Summary
CVE-2022-38178 is a high-severity vulnerability affecting multiple versions of ISC's BIND9 DNS server software, specifically versions ranging from 9.9.12 through 9.9.13, 9.10.7 through 9.10.8, 9.11.3 through 9.16.32, 9.18.0 through 9.18.6, supported preview editions 9.11.4-S1 through 9.11.37-S1 and 9.16.8-S1 through 9.16.32-S1, as well as development branch 9.19.0 through 9.19.4. The vulnerability arises in the DNSSEC verification code for the EdDSA algorithm, where a signature length mismatch causes a memory leak. An attacker can exploit this by sending spoofed DNS responses containing malformed EdDSA signatures to a target resolver running a vulnerable BIND9 version. Each malformed response triggers a small memory leak, which can be exploited over time to gradually consume available memory resources on the DNS server process (named). This resource exhaustion can ultimately lead to a crash of the named process, resulting in denial of service (DoS). The vulnerability is classified under CWE-401 (Improper Release of Memory Before Removing Last Reference) and has a CVSS v3.1 base score of 7.5, indicating high severity. The attack vector is network-based, requires no privileges or user interaction, and impacts availability without affecting confidentiality or integrity. No known exploits have been reported in the wild as of the published date. The vulnerability specifically targets the EdDSA signature verification path in DNSSEC, which is a cryptographic extension to DNS that provides origin authentication and data integrity. Since DNS is a critical infrastructure component, exploitation can disrupt DNS resolution services, impacting dependent applications and services.
Potential Impact
For European organizations, the impact of this vulnerability can be significant, especially for those relying on BIND9 as their authoritative or recursive DNS resolver. DNS is foundational to internet and intranet operations; a denial of service on DNS servers can lead to widespread service outages, affecting web services, email, internal applications, and security controls that depend on DNS. Organizations using DNSSEC with EdDSA signatures are particularly at risk, as the vulnerability is triggered by malformed EdDSA signatures. The gradual memory leak can be exploited remotely without authentication, making it feasible for attackers to disrupt DNS services at scale. Critical infrastructure providers, ISPs, and enterprises with public-facing DNS resolvers in Europe could face service degradation or outages, impacting business continuity and potentially violating regulatory requirements for service availability. Additionally, the disruption of DNS services could indirectly affect security monitoring and incident response capabilities that rely on DNS data. Although no known exploits are reported in the wild, the ease of exploitation and the high impact on availability warrant urgent attention.
Mitigation Recommendations
European organizations should promptly identify and inventory all BIND9 deployments, focusing on versions listed as vulnerable. Immediate mitigation involves upgrading affected BIND9 instances to the latest patched versions beyond those listed as vulnerable (e.g., versions after 9.9.13, 9.10.8, 9.16.33, 9.18.7, 9.11.37-S1, 9.16.33-S1, and 9.19.5). If immediate upgrades are not feasible, organizations should implement network-level controls to restrict or filter DNS responses containing malformed EdDSA signatures, although this may be challenging. Monitoring memory usage of named processes can help detect early signs of exploitation attempts. Deploying rate limiting on DNS responses and anomaly detection for unusual DNSSEC signature patterns can reduce attack surface. Additionally, organizations should review DNSSEC configurations to ensure EdDSA signatures are used appropriately and consider temporarily disabling EdDSA support if risk is unacceptable and operationally feasible. Maintaining up-to-date intrusion detection signatures and logging DNS server activity will aid in early detection of exploitation attempts. Finally, organizations should engage with ISC advisories and security communities for updates and patches.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Poland, Belgium, Switzerland
CVE-2022-38178: In BIND 9.9.12 -> 9.9.13, 9.10.7 -> 9.10.8, 9.11.3 -> 9.16.32, 9.18.0 -> 9.18.6, versions 9.11.4-S1 -> 9.11.37-S1, 9.16.8-S1 -> 9.16.32-S1 of the BIND Supported Preview Edition, and versions 9.19.0 -> 9.19.4 of the BIND 9.19 development branch, the DNSSEC verification code for the EdDSA algorithm leaks memory when there is a signature length mismatch. in ISC BIND9
Description
By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.
AI-Powered Analysis
Technical Analysis
CVE-2022-38178 is a high-severity vulnerability affecting multiple versions of ISC's BIND9 DNS server software, specifically versions ranging from 9.9.12 through 9.9.13, 9.10.7 through 9.10.8, 9.11.3 through 9.16.32, 9.18.0 through 9.18.6, supported preview editions 9.11.4-S1 through 9.11.37-S1 and 9.16.8-S1 through 9.16.32-S1, as well as development branch 9.19.0 through 9.19.4. The vulnerability arises in the DNSSEC verification code for the EdDSA algorithm, where a signature length mismatch causes a memory leak. An attacker can exploit this by sending spoofed DNS responses containing malformed EdDSA signatures to a target resolver running a vulnerable BIND9 version. Each malformed response triggers a small memory leak, which can be exploited over time to gradually consume available memory resources on the DNS server process (named). This resource exhaustion can ultimately lead to a crash of the named process, resulting in denial of service (DoS). The vulnerability is classified under CWE-401 (Improper Release of Memory Before Removing Last Reference) and has a CVSS v3.1 base score of 7.5, indicating high severity. The attack vector is network-based, requires no privileges or user interaction, and impacts availability without affecting confidentiality or integrity. No known exploits have been reported in the wild as of the published date. The vulnerability specifically targets the EdDSA signature verification path in DNSSEC, which is a cryptographic extension to DNS that provides origin authentication and data integrity. Since DNS is a critical infrastructure component, exploitation can disrupt DNS resolution services, impacting dependent applications and services.
Potential Impact
For European organizations, the impact of this vulnerability can be significant, especially for those relying on BIND9 as their authoritative or recursive DNS resolver. DNS is foundational to internet and intranet operations; a denial of service on DNS servers can lead to widespread service outages, affecting web services, email, internal applications, and security controls that depend on DNS. Organizations using DNSSEC with EdDSA signatures are particularly at risk, as the vulnerability is triggered by malformed EdDSA signatures. The gradual memory leak can be exploited remotely without authentication, making it feasible for attackers to disrupt DNS services at scale. Critical infrastructure providers, ISPs, and enterprises with public-facing DNS resolvers in Europe could face service degradation or outages, impacting business continuity and potentially violating regulatory requirements for service availability. Additionally, the disruption of DNS services could indirectly affect security monitoring and incident response capabilities that rely on DNS data. Although no known exploits are reported in the wild, the ease of exploitation and the high impact on availability warrant urgent attention.
Mitigation Recommendations
European organizations should promptly identify and inventory all BIND9 deployments, focusing on versions listed as vulnerable. Immediate mitigation involves upgrading affected BIND9 instances to the latest patched versions beyond those listed as vulnerable (e.g., versions after 9.9.13, 9.10.8, 9.16.33, 9.18.7, 9.11.37-S1, 9.16.33-S1, and 9.19.5). If immediate upgrades are not feasible, organizations should implement network-level controls to restrict or filter DNS responses containing malformed EdDSA signatures, although this may be challenging. Monitoring memory usage of named processes can help detect early signs of exploitation attempts. Deploying rate limiting on DNS responses and anomaly detection for unusual DNSSEC signature patterns can reduce attack surface. Additionally, organizations should review DNSSEC configurations to ensure EdDSA signatures are used appropriately and consider temporarily disabling EdDSA support if risk is unacceptable and operationally feasible. Maintaining up-to-date intrusion detection signatures and logging DNS server activity will aid in early detection of exploitation attempts. Finally, organizations should engage with ISC advisories and security communities for updates and patches.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- isc
- Date Reserved
- 2022-08-12T00:00:00.000Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68372bbe182aa0cae252025e
Added to database: 5/28/2025, 3:29:02 PM
Last enriched: 7/7/2025, 8:40:59 AM
Last updated: 7/26/2025, 4:27:53 PM
Views: 15
Related Threats
CVE-2025-43735: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Liferay Portal
MediumCVE-2025-40770: CWE-300: Channel Accessible by Non-Endpoint in Siemens SINEC Traffic Analyzer
HighCVE-2025-40769: CWE-1164: Irrelevant Code in Siemens SINEC Traffic Analyzer
HighCVE-2025-40768: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in Siemens SINEC Traffic Analyzer
HighCVE-2025-40767: CWE-250: Execution with Unnecessary Privileges in Siemens SINEC Traffic Analyzer
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.