CVE-2016-2776

HIGH EXPLOITED

Oracle Linux < 9.9.9 - Improper Input Validation

Title source: rule
STIX 2.1

Exploitation Summary

CVE-2016-2776 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including Infobyte, infobyte, Martin Rocha, Ezequiel Tavella, Alejandro Parodi, Infobyte Research Team, including a Metasploit module auxiliary/dos/dns/bind_tsig.

AI-analyzed exploit summary This exploit targets a denial-of-service vulnerability in BIND 9 DNS servers (CVE-2016-2776) by sending a specially crafted UDP packet. The payload triggers an assertion failure in buffer.c, causing the nameserver to crash.

Description

buffer.c in named in ISC BIND 9 before 9.9.9-P3, 9.10.x before 9.10.4-P3, and 9.11.x before 9.11.0rc3 does not properly construct responses, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted query.

Exploits (3)

exploitdb WORKING POC
by Infobyte · pythondosmultiple
https://www.exploit-db.com/exploits/40453

This exploit targets a denial-of-service vulnerability in BIND 9 DNS servers (CVE-2016-2776) by sending a specially crafted UDP packet. The payload triggers an assertion failure in buffer.c, causing the nameserver to crash.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: BIND 9 DNS Server
No auth needed
Prerequisites: Network access to the target DNS server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 27 stars
by infobyte · dos
https://github.com/infobyte/CVE-2016-2776

This repository contains a functional proof-of-concept exploit for CVE-2016-2776, a denial-of-service vulnerability in BIND 9 DNS servers. The exploit crafts a malformed DNS packet with a TSIG record to trigger an assertion failure in the server, causing it to crash.

Classification
Working Poc 100%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: BIND 9 DNS Server
No auth needed
Prerequisites: Network access to the target DNS server on port 53/UDP
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC
by Martin Rocha, Ezequiel Tavella, Alejandro Parodi, Infobyte Research Team · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/dns/bind_tsig.rb

This Metasploit module exploits a denial-of-service vulnerability in BIND (CVE-2016-2776) by crafting a malformed DNS query with a TSIG record, triggering an assertion failure in buffer.c. The exploit sends a UDP packet to port 53, optionally spoofing the source address.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: ISC BIND (versions affected by CVE-2016-2776)
No auth needed
Prerequisites: Network access to the target BIND server on port 53/UDP
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (17)

Core 17
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/93188
Various Sources x_refsource_confirm
https://kb.isc.org/article/AA-01438
Vendor Advisory x_refsource_confirm
https://kb.isc.org/article/AA-01419/0
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-1944.html
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/40453/
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201610-07
Various Sources x_refsource_confirm
https://kb.isc.org/article/AA-01435
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-2099.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1036903
Various Sources vendor-advisory x_refsource_freebsd
https://security.FreeBSD.org/advisories/FreeBSD-SA-16:28.bind.asc
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-1945.html
Various Sources x_refsource_confirm
https://kb.isc.org/article/AA-01436
Vendor Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20160930-0001/

Scores

CVSS v3 7.5
EPSS 0.8948
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

VulnCheck KEV 2016-10-05
CWE
CWE-20
Status published
Products (16)
hp/hp-ux 11.31
isc/bind 9.10.0 (9 CPE variants)
isc/bind 9.10.1 (7 CPE variants)
isc/bind 9.10.2 b1 (7 CPE variants)
isc/bind 9.10.3 (7 CPE variants)
isc/bind 9.10.4 p2 (2 CPE variants)
isc/bind 9.11.0 a1 (7 CPE variants)
isc/bind < 9.9.9
oracle/linux 5.0
oracle/linux 6
... and 6 more
Published Sep 28, 2016
Tracked Since Feb 18, 2026