Cyber Resilience

CVE-2022-3488

High

Published: 26 January 2023

Published
26 January 2023
Modified
01 April 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.1521 94.8th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-3488 is a high-severity Reachable Assertion (CWE-617) vulnerability in Isc Bind. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 5.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2022-3488 is a reachable assertion vulnerability in ISC BIND 9 that can be triggered when a resolver processes repeated responses to the same query, both containing ECS pseudo-options, where the first response is malformed in a way that causes rejection, such as a name mismatch between query and answer. The flaw affects only the subscription-supported branches 9.11.4-S1 through 9.11.37-S1 and 9.16.8-S1 through 9.16.36-S1 and carries a CVSS 3.1 score of 7.5 with high availability impact.

An unauthenticated remote attacker able to send crafted DNS responses to an affected recursive resolver can force the daemon to exit via assertion failure, resulting in a denial-of-service condition. No special network position beyond the ability to answer queries is required.

The official ISC knowledge-base article at kb.isc.org/docs/cve-2022-3488 describes the issue and the corrective steps for supported customers. The associated EPSS score has remained flat at 0.1521 with no material increase after disclosure.

EU & UK References

Vulnerability details

Processing of repeated responses to the same query, where both responses contain ECS pseudo-options, but where the first is broken in some way, can cause BIND to exit with an assertion failure. 'Broken' in this context is anything that would…

more

cause the resolver to reject the query response, such as a mismatch between query and answer name. This issue affects BIND 9 versions 9.11.4-S1 through 9.11.37-S1 and 9.16.8-S1 through 9.16.36-S1.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

isc
bind
9.11.37, 9.11.4, 9.16.36, 9.16.8

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References