CVE-2023-2828: 
NixOS vulnerability analysis and mitigation

CVE-2023-2828 affects BIND 9 versions 9.11.0 through 9.16.41, 9.18.0 through 9.18.15, 9.19.0 through 9.19.13, 9.11.3-S1 through 9.16.41-S1, and 9.18.11-S1 through 9.18.15-S1. The vulnerability was discovered and disclosed on June 21, 2023 (ISC Advisory).

The vulnerability exists in the cache-cleaning algorithm used in named (BIND's DNS server). Every named instance configured as a recursive resolver maintains a cache database with responses from authoritative servers. When the cache reaches 7/8 of the configured max-cache-size limit, a cache-cleaning algorithm starts removing expired and least-recently used RRsets. However, the effectiveness of this algorithm can be severely diminished by querying the resolver for specific RRsets in a certain order, allowing the configured max-cache-size limit to be significantly exceeded (NVD). The vulnerability has been assigned a CVSS base score of 7.5 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (ISC Advisory).

Successful exploitation of this vulnerability could allow a remote attacker to cause the DNS server to consume excessive memory, potentially leading to a denial of service condition (Debian Advisory).

The vulnerability has been fixed in BIND versions 9.16.42, 9.18.16, and 9.19.14. Organizations are strongly recommended to upgrade to these or later versions. The fix improves the overmem cleaning process to prevent the cache from significantly exceeding the configured max-cache-size limit (Fedora Advisory).