CVE-2016-0747 in Xcode
Summary
by MITRE
The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 does not properly limit CNAME resolution, which allows remote attackers to cause a denial of service (worker process resource consumption) via vectors related to arbitrary name resolution.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/29/2026
The vulnerability identified as CVE-2016-0747 represents a critical flaw in the nginx web server's DNS resolver implementation that enables remote attackers to consume excessive system resources through improper CNAME resolution limiting. This weakness affects nginx versions prior to 1.8.1 and 1.9.10, creating a significant attack surface where malicious actors can exploit the resolver's lack of proper recursion limits to exhaust worker process resources. The vulnerability stems from the resolver's inability to effectively control the number of CNAME records that can be followed during DNS resolution operations, allowing attackers to craft malicious DNS queries that trigger unlimited resolution chains.
The technical flaw manifests when nginx processes DNS queries that contain CNAME records, where the resolver does not enforce reasonable limits on the number of recursive lookups that can occur during the resolution process. This allows attackers to construct DNS responses containing multiple chained CNAME records that force the nginx worker processes to continuously resolve each link in the chain without proper bounds checking. The absence of such limits creates a resource exhaustion scenario where worker processes become consumed with resolving increasingly long CNAME chains, ultimately leading to denial of service conditions that can affect the entire web server's availability. This issue directly relates to CWE-674, which describes the lack of proper recursion limiting in security controls, and maps to ATT&CK technique T1499.004 for resource exhaustion attacks.
The operational impact of this vulnerability extends beyond simple service disruption to encompass potential system instability and performance degradation across affected nginx deployments. When exploited, the vulnerability can cause individual worker processes to consume excessive CPU and memory resources, potentially leading to cascading failures that affect the entire nginx instance. Attackers can leverage this weakness to target web applications that rely on nginx's DNS resolution capabilities, particularly those that perform dynamic DNS lookups or use nginx as a reverse proxy for services requiring name resolution. The vulnerability is particularly concerning in high-traffic environments where multiple concurrent connections could be simultaneously exploited, amplifying the resource consumption effects and increasing the likelihood of complete service unavailability.
Mitigation strategies for CVE-2016-0747 primarily focus on upgrading to patched versions of nginx where the resolver implementation properly enforces CNAME resolution limits. Organizations should immediately apply the security updates released by nginx version 1.8.1 and 1.9.10, which include enhanced bounds checking for DNS resolution operations. Additionally, administrators can implement network-level controls such as DNS query rate limiting and implementing proper firewall rules to restrict DNS traffic to known good sources. The configuration of nginx should include explicit settings for resolver timeouts and recursion limits to further constrain potential exploitation vectors. Security monitoring should be enhanced to detect unusual DNS resolution patterns that might indicate exploitation attempts, while regular vulnerability assessments should be conducted to ensure that all nginx installations maintain current security patches and configurations that prevent similar resource exhaustion scenarios.