oss-sec mailing list archives

ISC has disclosed three vulnerabilities in BIND 9 (CVE-2025-8677, CVE-2025-40778, CVE-2025-40780)

From: Michał Kępień <michal () isc org>
Date: Wed, 22 Oct 2025 17:21:29 +0200

On 22 October 2025 we (Internet Systems Consortium) disclosed three vulnerabilities affecting our BIND 9 software:

- CVE-2025-8677:        Resource exhaustion via malformed DNSKEY handling https://kb.isc.org/docs/cve-2025-8677
- CVE-2025-40778:       Cache poisoning attacks with unsolicited RRs https://kb.isc.org/docs/cve-2025-40778
- CVE-2025-40780:       Cache poisoning due to weak PRNG https://kb.isc.org/docs/cve-2025-40780

New versions of BIND 9 are available from https://www.isc.org/downloads

Operators and package maintainers who prefer to apply patches selectively can find individual vulnerability-specific 
patches in the "patches" subdirectory of each published release directory:

- https://downloads.isc.org/isc/bind9/9.18.41/patches/
- https://downloads.isc.org/isc/bind9/9.20.15/patches/
- https://downloads.isc.org/isc/bind9/9.21.14/patches/

With the public announcement of these vulnerabilities, the embargo period is ended and any updated software packages 
that have been prepared may be released.

-- 
Best regards,
Michał Kępień

Current thread:

ISC has disclosed three vulnerabilities in BIND 9 (CVE-2025-8677, CVE-2025-40778, CVE-2025-40780) Michał Kępień (Oct 22)