CVE-2024-12705

High

Published: 29 January 2025

Published

29 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0562 90.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12705 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 9.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-5 Denial-of-service Protection good match

prevent

Directly implements denial-of-service protections to prevent resource exhaustion from HTTP/2 traffic floods targeting the BIND DoH endpoint.

SC-6 Resource Availability good match

prevent

Enforces resource availability protections to mitigate CPU and memory depletion caused by unthrottled HTTP/2 requests in BIND 9.

SI-2 Flaw Remediation good match

prevent

Ensures timely flaw remediation through patching of the specific BIND 9 DoH vulnerability across affected versions.

NVD Description

Clients using DNS-over-HTTPS (DoH) can exhaust a DNS resolver's CPU and/or memory by flooding it with crafted valid or invalid HTTP/2 traffic. This issue affects BIND 9 versions 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, and 9.18.11-S1 through…

9.18.32-S1.

Deeper analysisAI

CVE-2024-12705 is a denial-of-service vulnerability in BIND 9 that allows clients using DNS-over-HTTPS (DoH) to exhaust a DNS resolver's CPU and/or memory resources by flooding it with crafted valid or invalid HTTP/2 traffic. The issue affects BIND 9 versions 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, and 9.18.11-S1 through 9.18.32-S1. It is associated with CWE-770 (Allocation of Resources Without Limits or Throttling) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Remote attackers can exploit this vulnerability without authentication or user interaction by sending HTTP/2 traffic to the DoH endpoint of an affected BIND resolver. Successful exploitation leads to resource exhaustion, causing high-impact denial of service that disrupts DNS resolution services.

Mitigation details are available in the ISC knowledge base advisory at https://kb.isc.org/docs/cve-2024-12705 and the NetApp security advisory at https://security.netapp.com/advisory/ntap-20250207-0003/. Security practitioners should consult these resources for patch information and recommended actions.

Details

CWE(s): CWE-770

CVEs Like This One

CVE-2025-8099Shared CWE-770

CVE-2021-47895Shared CWE-770

CVE-2020-37085Shared CWE-770

CVE-2026-20103Shared CWE-770

CVE-2024-12537Shared CWE-770

CVE-2026-33256Shared CWE-770

CVE-2026-26313Shared CWE-770

CVE-2026-31283Shared CWE-770

CVE-2026-35401Shared CWE-770

CVE-2025-1059Shared CWE-770

References

https://kb.isc.org/docs/cve-2024-12705
security-officer@isc.org
https://security.netapp.com/advisory/ntap-20250207-0003/
af854a3a-2127-422b-91ae-364da2661108