CVE-2016-1285

Name: CVE-2016-1285
Creator: NVD / NIST
Published: 2016-03-09T23:59:02.133+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 6.8/10EPSS 58.99%

Last modified Jun 17, 2026

CVE-2016-1285 is a medium-severity vulnerability rated 6.8/10 on the CVSS scale. named in ISC BIND 9.x before 9.9.8-P4 and 9.10.x before 9.10.3-P4 does not properly handle DNAME records when parsing fetch reply messages, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a malformed packet to the rndc (aka control channel) interface, related to alist.c and sexpr.c.. EPSS estimates a 58.99% chance of exploitation in the next 30 days.

Description

named in ISC BIND 9.x before 9.9.8-P4 and 9.10.x before 9.10.3-P4 does not properly handle DNAME records when parsing fetch reply messages, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a malformed packet to the rndc (aka control channel) interface, related to alist.c and sexpr.c.

Metrics

CVSS 3.1

6.8/10

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H

EPSS Probability

58.99%

99.0th percentile

Probability of exploitation in the next 30 days. Learn more

Affected Software

Vendor	Product	Versions	Update
Isc	Bind	>= 9.0.0, < 9.9.8	—
Isc	Bind	>= 9.10.0, < 9.10.3	—
Isc	Bind	9.9.8	—
Isc	Bind	9.10.3	—
Suse	Linux Enterprise Debuginfo	11	Sp2
Suse	Manager	2.1	—
Suse	Manager Proxy	2.1	—
Suse	Openstack Cloud	5	—
Opensuse	Leap	42.1	—
Opensuse	Opensuse	11.4	—
Opensuse	Opensuse	13.1	—
Opensuse	Opensuse	13.2	—
Suse	Linux Enterprise Desktop	11	Sp4
Suse	Linux Enterprise Desktop	12	—
Suse	Linux Enterprise Server	11	Sp2
Suse	Linux Enterprise Server	12	—
Suse	Linux Enterprise Software Development Kit	11	Sp4
Suse	Linux Enterprise Software Development Kit	12	—
Fedoraproject	Fedora	22	—
Fedoraproject	Fedora	23	—
Fedoraproject	Fedora	24	—
Canonical	Ubuntu Linux	12.04	—
Canonical	Ubuntu Linux	14.04	—
Canonical	Ubuntu Linux	15.10	—
Debian	Debian Linux	7.0	—
Debian	Debian Linux	8.0	—
Debian	Debian Linux	9.0	—
Juniper	Junos	12.1x46	—
Juniper	Junos	12.1x46-d10	—
Juniper	Junos	12.1x46-d76	—
Juniper	Junos	12.3x48	—
Juniper	Junos	15.1x49	D10
Juniper	Junos	17.3	—
Juniper	Junos	17.4	—
Juniper	Junos	18.1	—
Juniper	Junos	18.2	—
Juniper	Junos	18.3	—
Juniper	Junos	18.4	—

References

http://lists.fedoraproject.org/pipermail/package-announce/2016-April/181036.htmlMailing List
http://lists.fedoraproject.org/pipermail/package-announce/2016-April/181037.htmlMailing List
http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178831.htmlMailing List
http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178880.htmlMailing List
http://lists.fedoraproject.org/pipermail/package-announce/2016-March/179904.htmlMailing List
http://lists.fedoraproject.org/pipermail/package-announce/2016-March/179911.htmlMailing List
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00046.htmlMailing List
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00053.htmlMailing List
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00070.htmlMailing List
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00072.htmlMailing List
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00075.htmlMailing List
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00079.htmlMailing List
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00084.htmlMailing List
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00013.htmlMailing List, Third Party Advisory
http://marc.info/?l=bugtraq&m=146191105921542&w=2Issue Tracking, Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2016-0562.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2016-0601.htmlThird Party Advisory
http://www.debian.org/security/2016/dsa-3511Third Party Advisory
http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.htmlThird Party Advisory
http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.htmlThird Party Advisory
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.htmlThird Party Advisory
http://www.securitytracker.com/id/1035236Broken Link, Third Party Advisory, VDB Entry
http://www.ubuntu.com/usn/USN-2925-1Third Party Advisory
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05087821Third Party Advisory
https://kb.isc.org/article/AA-01352Vendor Advisory
https://kb.isc.org/article/AA-01380Broken Link, Release Notes
https://kb.isc.org/article/AA-01438Broken Link
https://security.FreeBSD.org/advisories/FreeBSD-SA-16:13.bind.ascThird Party Advisory
https://security.gentoo.org/glsa/201610-07Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2016-April/181036.htmlMailing List
http://lists.fedoraproject.org/pipermail/package-announce/2016-April/181037.htmlMailing List
http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178831.htmlMailing List
http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178880.htmlMailing List
http://lists.fedoraproject.org/pipermail/package-announce/2016-March/179904.htmlMailing List
http://lists.fedoraproject.org/pipermail/package-announce/2016-March/179911.htmlMailing List
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00046.htmlMailing List
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00053.htmlMailing List
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00070.htmlMailing List
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00072.htmlMailing List
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00075.htmlMailing List
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00079.htmlMailing List
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00084.htmlMailing List
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00013.htmlMailing List, Third Party Advisory
http://marc.info/?l=bugtraq&m=146191105921542&w=2Issue Tracking, Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2016-0562.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2016-0601.htmlThird Party Advisory
http://www.debian.org/security/2016/dsa-3511Third Party Advisory
http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.htmlThird Party Advisory
http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.htmlThird Party Advisory
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.htmlThird Party Advisory
http://www.securitytracker.com/id/1035236Broken Link, Third Party Advisory, VDB Entry
http://www.ubuntu.com/usn/USN-2925-1Third Party Advisory
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05087821Third Party Advisory
https://kb.isc.org/article/AA-01352Vendor Advisory
https://kb.isc.org/article/AA-01380Broken Link, Release Notes
https://kb.isc.org/article/AA-01438Broken Link
https://security.FreeBSD.org/advisories/FreeBSD-SA-16:13.bind.ascThird Party Advisory
https://security.gentoo.org/glsa/201610-07Third Party Advisory

Timeline

Published: Mar 9, 2016
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2016-1285?

How severe is CVE-2016-1285?

CVE-2016-1285 has a CVSS score of 6.8/10 (MEDIUM severity). The EPSS model estimates a 58.99% probability of exploitation in the next 30 days.

How do I fix CVE-2016-1285?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2016-1285?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST