This issue can affect BIND 9 resolvers with `stale-answer-enable yes;` that also make use of the option `stale-answer-client-timeout`, configured with a value greater than zero. If the resolver receives many queries that require recursion, there will be a corresponding increase in the number of clients that are waiting for recursion to complete. If there are sufficient clients already waiting when a new client query is received so that it is necessary to SERVFAIL the longest waiting client (see BIND 9 ARM `recursive-clients` limit and soft quota), then it is possible for a race to occur between providing a stale answer to this older client and sending an early timeout SERVFAIL, which may cause an assertion failure. This issue affects BIND 9 versions 9.16.12 through 9.16.36, 9.18.0 through 9.18.10, 9.19.0 through 9.19.8, and 9.16.12-S1 through 9.16.36-S1.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: isc

Published: 2023-01-25T21:39:49.110Z

Updated: 2024-08-03T01:20:58.777Z

Reserved: 2022-11-10T09:07:37.642Z

Link: CVE-2022-3924

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2023-01-26T21:16:03.273

Modified: 2024-11-21T07:20:32.627

Link: CVE-2022-3924

cve-icon Redhat

Severity : Moderate

Publid Date: 2023-01-25T00:00:00Z

Links: CVE-2022-3924 - Bugzilla