CVE-2023-50387

HIGH

Redhat Enterprise Linux < 2.90 - Resource Allocation Without Limits

Title source: rule
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2023-50387. PoCs published by knqyf263, Pablodiz, Meirelez.

AI-analyzed exploit summary This repository contains a functional proof-of-concept for CVE-2023-50387 (KeyTrap in DNS), demonstrating a DoS attack against DNSSEC validators by exploiting computational complexity in signature validation. The PoC uses Docker containers to simulate an attacker, resolver, and authoritative DNS server, with crafted RRSIG records to trigger excessive CPU usage.

Description

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

Exploits (3)

nomisec WORKING POC 44 stars
by knqyf263 · poc
https://github.com/knqyf263/CVE-2023-50387

This repository contains a functional proof-of-concept for CVE-2023-50387 (KeyTrap in DNS), demonstrating a DoS attack against DNSSEC validators by exploiting computational complexity in signature validation. The PoC uses Docker containers to simulate an attacker, resolver, and authoritative DNS server, with crafted RRSIG records to trigger excessive CPU usage.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: DNSSEC validators (e.g., Unbound, BIND9)
No auth needed
Prerequisites: Docker environment · Network access to target DNS resolver
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by Pablodiz · poc
https://github.com/Pablodiz/CVE-2023-50387

This repository contains a functional proof-of-concept exploit for CVE-2023-50387, a DNSSEC validation vulnerability in Unbound. It includes Dockerized environments for attacker, resolver, and authoritative DNS server, along with scripts to automate the generation of malicious RRSIG records.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Unbound (DNS resolver)
No auth needed
Prerequisites: Docker · Python3 · bind9-utils (dnssec-keygen, dnssec-signzone)
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by Meirelez · poc
https://github.com/Meirelez/SSR-DNSSEC

This repository contains a functional PoC for CVE-2023-50387, which exploits a DNSSEC validation flaw by generating a key with a specific keytag and creating dummy RRSIG records. The scripts automate the generation of malicious DNSSEC signatures to bypass validation.

Classification
Working Poc 90%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: DNSSEC implementations (specific versions not specified)
No auth needed
Prerequisites: DNSSEC-enabled infrastructure · Ability to generate DNS keys and signatures
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (36)

Core 36
Core References
Third Party Advisory, VDB Entry
https://kb.isc.org/docs/cve-2023-50387

Scores

CVSS v3 7.5
EPSS 1.0000
EPSS Percentile 100.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-770
Status published
Products (17)
fedoraproject/fedora 39
isc/bind 9.0.0 - 9.16.46
microsoft/windows_server_2008 r2 sp1
microsoft/windows_server_2012
microsoft/windows_server_2012 r2
microsoft/windows_server_2016
microsoft/windows_server_2019
microsoft/windows_server_2022
microsoft/windows_server_2022_23h2
nic/knot_resolver < 5.71
... and 7 more
Published Feb 14, 2024
Tracked Since Feb 18, 2026