CVE-2022-0396 in BIND
Summary
by MITRE • 03/23/2022
BIND 9.16.11 -> 9.16.26, 9.17.0 -> 9.18.0 and versions 9.16.11-S1 -> 9.16.26-S1 of the BIND Supported Preview Edition. Specifically crafted TCP streams can cause connections to BIND to remain in CLOSE_WAIT status for an indefinite period of time, even after the client has terminated the connection.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/13/2026
This vulnerability affects the Berkeley Internet Name Domain software version 9.16.11 through 9.16.26 and 9.17.0 through 9.18.0, including the supported preview edition versions 9.16.11-S1 through 9.16.26-S1. The flaw manifests when specifically crafted tcp streams are sent to a bind server causing connections to remain in CLOSE_WAIT status indefinitely. This represents a denial of service condition that can persist for extended periods and potentially exhaust system resources. The issue stems from improper handling of tcp connection state management within the bind server implementation where the server fails to properly transition connection states even after receiving proper tcp termination signals from clients. This behavior creates a resource exhaustion scenario where system file descriptors and memory resources remain allocated to these stale connections. The vulnerability aligns with common weakness enumeration CWE-119 which addresses memory safety issues, and more specifically relates to improper handling of connection state transitions. From an operational security perspective this vulnerability creates opportunities for attackers to perform resource exhaustion attacks against dns servers, potentially leading to complete service disruption. The indefinite hold on connection resources can also impact other network services running on the same system as available file descriptors become consumed. The attack vector involves sending specially crafted tcp streams that exploit the state management flaw in the bind server tcp handling code. This vulnerability directly impacts the availability of dns services and can be classified under the attack pattern category of resource exhaustion attacks as defined in the attack tree framework. The affected versions represent a significant security concern for organizations relying on bind dns servers for critical infrastructure operations. The fix requires updating to patched versions of bind software where connection state management has been properly addressed. Organizations should implement monitoring for unusual connection patterns and consider implementing connection timeouts to mitigate the risk of prolonged connection holds. The vulnerability demonstrates the importance of proper tcp state machine implementation and highlights the need for robust connection management in dns server implementations. System administrators should review their bind server configurations and ensure proper resource limits are in place to prevent complete service exhaustion. The issue also underscores the necessity of regular security updates and patch management for critical infrastructure components. This vulnerability can be exploited by remote attackers without authentication and represents a significant risk to dns server availability and overall network stability. The impact extends beyond simple service disruption to potential cascading failures in network infrastructure that relies on dns resolution for normal operations.