The Internet Systems Consortium (ISC) has released security advisories that address vulnerabilities affecting multiple versions of the ISC’s Berkeley Internet Name Domain (BIND) 9. A remote attacker could exploit these vulnerabilities to potentially cause denial-of-service conditions.

CISA encourages users and administrators to review the following ISC advisories CVE-2023-2828CVE-2023-2829, and CVE-2023-2911 and apply the necessary mitigations.

CVE-2023-2828: named’s configured cache size limit can be significantly exceeded

Document version: 2.0

Posting date: 21 June 2023

Program impacted: BIND 9

Versions affected:


  • 9.11.0 -> 9.16.41
  • 9.18.0 -> 9.18.15
  • 9.19.0 -> 9.19.13

BIND Supported Preview Edition

  • 9.11.3-S1 -> 9.16.41-S1
  • 9.18.11-S1 -> 9.18.15-S1

(Versions prior to 9.11.37 & 9.11.37-S1 were not assessed, but we believe that all versions of BIND 9.11 are vulnerable. Some even older major branches may be vulnerable as well.)

Severity: High

Exploitable: Remotely


Every named instance configured to run as a recursive resolver maintains a cache database holding the responses to the queries it has recently sent to authoritative servers. The size limit for that cache database can be configured using the max-cache-size statement in the configuration file; it defaults to 90% of the total amount of memory available on the host. When the size of the cache reaches 7/8 of the configured limit, a cache-cleaning algorithm starts to remove expired and/or least-recently used RRsets from the cache, to keep memory use below the configured limit.

It has been discovered that the effectiveness of the cache-cleaning algorithm used in named can be severely diminished by querying the resolver for specific RRsets in a certain order, effectively allowing the configured max-cache-size limit to be significantly exceeded.


By exploiting this flaw, an attacker can cause the amount of memory used by a named resolver to go well beyond the configured max-cache-size limit. The effectiveness of the attack depends on a number of factors (e.g. query load, query patterns), but since the default value of the max-cache-size statement is 90%, in the worst case the attacker can exhaust all available memory on the host running named, leading to a denial-of-service condition.

CVSS Score: 7.5


For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit:


No workarounds known.

Active exploits:

We are not aware of any active exploits.


Upgrade to the patched release most closely related to your current version of BIND 9:

  • 9.16.42
  • 9.18.16
  • 9.19.14

BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers.

  • 9.16.42-S1
  • 9.18.16-S1


ISC would like to thank Shoham Danino from Reichman University, Anat Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv University, and Yuval Shavitt from Tel-Aviv University for bringing this vulnerability to our attention.

Document revision history:

  • 1.0 Early Notification, 14 June 2023
  • 2.0 Public disclosure, 21 June 2023

Related documents:

See our BIND 9 Security Vulnerability Matrix for a complete listing of security vulnerabilities and versions affected.

Do you still have questions? Questions regarding this advisory should be mailed to [email protected]To report a new issue, please encrypt your message using [email protected]’s PGP key, which can be found here: If you are unable to use encrypted email you may also report new issues at:


ISC patches only currently supported versions. When possible we indicate EOL versions affected. For current information on which versions are actively supported, please see

ISC Security Vulnerability Disclosure Policy:

Details of our current security advisory policy and practice can be found in the ISC Software Defect and Security Vulnerability Disclosure Policy at