QwikSec

Security Database

CVE

CWE

Training

CVE-2022-38177

Published: Sep 21, 2022

Modified: May 28, 2025

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.

Vendor	Product	Versions
ISC	BIND9	affected `Open Source Branches 9.8 through 9.16 9.8.4 through versions before 9.16.33` affected `Supported Preview Branches 9.9-S through 9.11-S 9.9.4-S1 through versions up to and including 9.11.37-S1` affected `Supported Preview Branch 9.16-S 9.16.8-S1 through versions before 9.16.33-S1`

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://kb.isc.org/docs/cve-2022-38177

[oss-security] 20220921 ISC has disclosed six vulnerabilities in BIND (CVE-2022-2795, CVE-2022-2881, CVE-2022-2906, CVE-2022-3080, CVE-2022-38177, CVE-2022-38178)

mailing-list

vendor-advisory

FEDORA-2022-ef038365de

vendor-advisory

FEDORA-2022-8268735e06

vendor-advisory

FEDORA-2022-b197d64471

vendor-advisory

[debian-lts-announce] 20221005 [SECURITY] [DLA 3138-1] bind9 security update

mailing-list

vendor-advisory

https://security.netapp.com/advisory/ntap-20221228-0010/

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.