INFSA-2025:21111: bind9.18 security update
Information about definition
Identificator: INFSA-2025:21111
Type: security
Release date: 2025-12-01 14:25:51 UTC
Information about package
BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly.
Vulnerabilities description
- CVE-2025-40778
A vulnerability exists in BIND’s DNS resolver logic that makes it overly permissive when accepting resource records (RRs) in responses. Under certain conditions, this flaw allows attackers to inject unsolicited or forged DNS records into the cache. This can be exploited to poison the resolver cache, redirecting clients to malicious domains or unauthorized servers.
- CVE-2025-40780
ISC BIND could allow a remote attacker to poison the DNS cache, caused by a weakness in the Pseudo Random Number Generator (PRNG). An attacker could exploit this vulnerability to predict the source port and query ID that BIND will use.
- CVE-2025-8677
ISC BIND is vulnerable to a denial of service, caused by improper DNSKEY handling. By querying for records within a specially crafted zone containing certain malformed DNSKEY records, a remote attacker could exploit this vulnerability to exhaust CPU resources.
Severity level
| CVE | Score CVSS 2.0 | Score CVSS 3.x | Score CVSS 4.0 |
|---|---|---|---|
|
NIST — CVE-2025-40778
|
no information | 8.6 | no information |
|
NIST — CVE-2025-40780
|
no information | 8.6 | no information |
|
NIST — CVE-2025-8677
|
no information | 7.5 | no information |
Updated packages
Preparing to download...