Skip to main content

CVE-2022-38178: In BIND 9.9.12 -> 9.9.13, 9.10.7 -> 9.10.8, 9.11.3 -> 9.16.32, 9.18.0 -> 9.18.6, versions 9.11.4-S1 -> 9.11.37-S1, 9.16.8-S1 -> 9.16.32-S1 of the BIND Supported Preview Edition, and versions 9.19.0 -> 9.19.4 of the BIND 9.19 development branch, the DNSSEC verification code for the EdDSA algorithm leaks memory when there is a signature length mismatch. in ISC BIND9

High
VulnerabilityCVE-2022-38178cvecve-2022-38178
Published: Wed Sep 21 2022 (09/21/2022, 10:15:29 UTC)
Source: CVE Database V5
Vendor/Project: ISC
Product: BIND9

Description

By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.

AI-Powered Analysis

AILast updated: 07/07/2025, 08:40:59 UTC

Technical Analysis

CVE-2022-38178 is a high-severity vulnerability affecting multiple versions of ISC's BIND9 DNS server software, specifically versions ranging from 9.9.12 through 9.9.13, 9.10.7 through 9.10.8, 9.11.3 through 9.16.32, 9.18.0 through 9.18.6, supported preview editions 9.11.4-S1 through 9.11.37-S1 and 9.16.8-S1 through 9.16.32-S1, as well as development branch 9.19.0 through 9.19.4. The vulnerability arises in the DNSSEC verification code for the EdDSA algorithm, where a signature length mismatch causes a memory leak. An attacker can exploit this by sending spoofed DNS responses containing malformed EdDSA signatures to a target resolver running a vulnerable BIND9 version. Each malformed response triggers a small memory leak, which can be exploited over time to gradually consume available memory resources on the DNS server process (named). This resource exhaustion can ultimately lead to a crash of the named process, resulting in denial of service (DoS). The vulnerability is classified under CWE-401 (Improper Release of Memory Before Removing Last Reference) and has a CVSS v3.1 base score of 7.5, indicating high severity. The attack vector is network-based, requires no privileges or user interaction, and impacts availability without affecting confidentiality or integrity. No known exploits have been reported in the wild as of the published date. The vulnerability specifically targets the EdDSA signature verification path in DNSSEC, which is a cryptographic extension to DNS that provides origin authentication and data integrity. Since DNS is a critical infrastructure component, exploitation can disrupt DNS resolution services, impacting dependent applications and services.

Potential Impact

For European organizations, the impact of this vulnerability can be significant, especially for those relying on BIND9 as their authoritative or recursive DNS resolver. DNS is foundational to internet and intranet operations; a denial of service on DNS servers can lead to widespread service outages, affecting web services, email, internal applications, and security controls that depend on DNS. Organizations using DNSSEC with EdDSA signatures are particularly at risk, as the vulnerability is triggered by malformed EdDSA signatures. The gradual memory leak can be exploited remotely without authentication, making it feasible for attackers to disrupt DNS services at scale. Critical infrastructure providers, ISPs, and enterprises with public-facing DNS resolvers in Europe could face service degradation or outages, impacting business continuity and potentially violating regulatory requirements for service availability. Additionally, the disruption of DNS services could indirectly affect security monitoring and incident response capabilities that rely on DNS data. Although no known exploits are reported in the wild, the ease of exploitation and the high impact on availability warrant urgent attention.

Mitigation Recommendations

European organizations should promptly identify and inventory all BIND9 deployments, focusing on versions listed as vulnerable. Immediate mitigation involves upgrading affected BIND9 instances to the latest patched versions beyond those listed as vulnerable (e.g., versions after 9.9.13, 9.10.8, 9.16.33, 9.18.7, 9.11.37-S1, 9.16.33-S1, and 9.19.5). If immediate upgrades are not feasible, organizations should implement network-level controls to restrict or filter DNS responses containing malformed EdDSA signatures, although this may be challenging. Monitoring memory usage of named processes can help detect early signs of exploitation attempts. Deploying rate limiting on DNS responses and anomaly detection for unusual DNSSEC signature patterns can reduce attack surface. Additionally, organizations should review DNSSEC configurations to ensure EdDSA signatures are used appropriately and consider temporarily disabling EdDSA support if risk is unacceptable and operationally feasible. Maintaining up-to-date intrusion detection signatures and logging DNS server activity will aid in early detection of exploitation attempts. Finally, organizations should engage with ISC advisories and security communities for updates and patches.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
isc
Date Reserved
2022-08-12T00:00:00.000Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 68372bbe182aa0cae252025e

Added to database: 5/28/2025, 3:29:02 PM

Last enriched: 7/7/2025, 8:40:59 AM

Last updated: 8/12/2025, 1:55:50 PM

Views: 16

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats