CVE-2016-2776

HIGH EXPLOITED

Oracle Linux < 9.9.9 - Improper Input Validation

Title source: rule

Description

buffer.c in named in ISC BIND 9 before 9.9.9-P3, 9.10.x before 9.10.4-P3, and 9.11.x before 9.11.0rc3 does not properly construct responses, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted query.

Exploits (4)

exploitdb WORKING POC
by Infobyte · pythondosmultiple
https://www.exploit-db.com/exploits/40453
nomisec WORKING POC 27 stars
by infobyte · dos
https://github.com/infobyte/CVE-2016-2776
metasploit WORKING POC
by Martin Rocha, Ezequiel Tavella, Alejandro Parodi, Infobyte Research Team · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/dns/bind_tsig.rb

References (17)

Scores

CVSS v3 7.5
EPSS 0.8696
EPSS Percentile 99.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

VulnCheck KEV 2016-10-05
CWE
CWE-20
Status published
Products (16)
hp/hp-ux 11.31
isc/bind 9.10.0 (9 CPE variants)
isc/bind 9.10.1 (7 CPE variants)
isc/bind 9.10.2 b1 (7 CPE variants)
isc/bind 9.10.3 (7 CPE variants)
isc/bind 9.10.4 p2 (2 CPE variants)
isc/bind 9.11.0 a1 (7 CPE variants)
isc/bind < 9.9.9
oracle/linux 5.0
oracle/linux 6
... and 6 more
Published Sep 28, 2016
Tracked Since Feb 18, 2026