CVE-2024-0760

Description

A malicious client can send many DNS messages over TCP, potentially causing the server to become unstable while the attack is in progress. The server may recover after the attack ceases. Use of ACLs will not mitigate the attack. This issue affects BIND 9 versions 9.18.1 through 9.18.27, 9.19.0 through 9.19.24, and 9.18.11-S1 through 9.18.27-S1.

How to fix CVE-2024-0760

To remediate CVE-2024-0760, upgrade the affected package to a fixed version below.

—upgrade to 9.18.31-r0 or later
—upgrade to 1:9.18.28-1~deb12u1 or later

Is CVE-2024-0760 being exploited?

Moderate — EPSS is 16.7%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

from 0, < 9.18.31-r0
from 0, < 1:9.18.28-1~deb12u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (2)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2024-0760
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-0760