Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

References
Link Providers
http://www.openwall.com/lists/oss-security/2024/02/16/2 cve-icon cve-icon
http://www.openwall.com/lists/oss-security/2024/02/16/3 cve-icon cve-icon
https://access.redhat.com/security/cve/CVE-2023-50387 cve-icon cve-icon
https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released cve-icon
https://bugzilla.suse.com/show_bug.cgi?id=1219823 cve-icon cve-icon
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html cve-icon cve-icon
https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1 cve-icon cve-icon
https://kb.isc.org/docs/cve-2023-50387 cve-icon cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2024/05/msg00011.html cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/ cve-icon cve-icon
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html cve-icon cve-icon
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387 cve-icon cve-icon
https://news.ycombinator.com/item?id=39367411 cve-icon cve-icon
https://news.ycombinator.com/item?id=39372384 cve-icon cve-icon
https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/ cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2023-50387 cve-icon
https://security.netapp.com/advisory/ntap-20240307-0007/ cve-icon cve-icon
https://www.athene-center.de/aktuelles/key-trap cve-icon cve-icon
https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2023-50387 cve-icon
https://www.isc.org/blogs/2024-bind-security-release/ cve-icon cve-icon
https://www.knot-resolver.cz/2024-02-13-knot-resolver-5.7.1.html cve-icon
https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/ cve-icon cve-icon
https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/ cve-icon cve-icon
History

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.37608}

epss

{'score': 0.45102}


Mon, 12 May 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 13 Feb 2025 01:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:rhel_els:6

Fri, 13 Dec 2024 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Els
CPEs cpe:/o:redhat:rhel_els:7
Vendors & Products Redhat rhel Els

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2025-05-12T15:02:17.822Z

Reserved: 2023-12-07T00:00:00.000Z

Link: CVE-2023-50387

cve-icon Vulnrichment

Updated: 2024-08-02T22:16:46.692Z

cve-icon NVD

Status : Modified

Published: 2024-02-14T16:15:45.300

Modified: 2025-05-12T15:15:56.673

Link: CVE-2023-50387

cve-icon Redhat

Severity : Important

Publid Date: 2024-02-13T00:00:00Z

Links: CVE-2023-50387 - Bugzilla

cve-icon OpenCVE Enrichment

No data.