CVE-2024-12705

EUVD-2024-51062
Clients using DNS-over-HTTPS (DoH) can exhaust a DNS resolver's CPU and/or memory by flooding it with crafted valid or invalid HTTP/2 traffic.
This issue affects BIND 9 versions 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, and 9.18.11-S1 through 9.18.32-S1.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
iscCNA
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 63%
Debian logo
Debian Releases
Debian Product
Codename
bind9
bookworm
1:9.18.33-1~deb12u2
fixed
bookworm (security)
1:9.18.41-1~deb12u1
fixed
bullseye
1:9.16.50-1~deb11u2
not-affected
bullseye (security)
1:9.16.50-1~deb11u4
fixed
forky
1:9.20.15-2
fixed
sid
1:9.20.15-2
fixed
trixie
1:9.20.15-1~deb13u1
fixed
trixie (security)
1:9.20.15-1~deb13u1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
bind9
bionic
not-affected
focal
Fixed 1:9.18.30-0ubuntu0.20.04.2
released
jammy
Fixed 1:9.18.30-0ubuntu0.22.04.2
released
noble
Fixed 1:9.18.30-0ubuntu0.24.04.2
released
oracular
Fixed 1:9.20.0-2ubuntu3.1
released
plucky
Fixed 1:9.20.0-2ubuntu4
released
questing
Fixed 1:9.20.0-2ubuntu4
released
trusty
not-affected
xenial
not-affected
isc-dhcp
bionic
needs-triage
focal
not-affected
jammy
not-affected
noble
needs-triage
oracular
ignored
plucky
needs-triage
questing
needs-triage
trusty
not-affected
xenial
not-affected
bind9-libs
focal
needs-triage
jammy
needs-triage
noble
dne
oracular
dne
plucky
dne
questing
dne
Common Weakness Enumeration
References
https://kb.isc.org/docs/cve-2024-12705
https://security.netapp.com/advisory/ntap-20250207-0003/