Rob Schulhof

**Name of the Vulnerable Software and Affected Versions** BIND 9 versions 9.16.0 through 9.16.36 BIND 9 versions 9.18.0 through 9.18.10 BIND 9 versions 9.19.0 through 9.19.8 BIND 9 versions 9.16.8-S1 through 9.16.36-S1 **Description** The issue is related to the allocation of large amounts of memory by `named` when sending a flood of dynamic DNS updates. This can cause `named` to exit due to a lack of free memory. The scope of this issue is limited to trusted clients who are permitted to make dynamic zone changes. Memory is allocated prior to the checking of access permissions and is retained during the processing of a dynamic update from a client whose access credentials are accepted. If a dynamic update is REFUSED, memory will be released again very quickly. Therefore, it is only likely to be possible to degrade or stop `named` by sending a flood of unaccepted dynamic updates comparable in magnitude to a query flood intended to achieve the same detrimental outcome. **Recommendations** For BIND 9 versions 9.16.0 through 9.16.36, update to a version that includes the fix for this issue. For BIND 9 versions 9.18.0 through 9.18.10, update to a version that includes the fix for this issue. For BIND 9 versions 9.19.0 through 9.19.8, update to a version that includes the fix for this issue. For BIND 9 versions 9.16.8-S1 through 9.16.36-S1, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to dynamic updates to minimize the risk of exploitation.