Experts from the nonprofit organization that maintains Internet infrastructure, the Internet Systems Consortium (ISC), have released updates for the BIND 9 DNS server that fix three serious vulnerabilities. Two of them allow attackers to poison the cache, and the third can lead to a denial of service.
The first issue (CVE-2025-40780) received a CVSS score of 8.6 and is related to a bug in the pseudorandom number generator (PRNG). Under certain circumstances, an attacker can predict the source port and the query ID that will be used during communication.
In fact, this vulnerability is a weakening of the protection introduced after Dan Kaminsky’s famous research in 2008. At that time, port randomization was introduced to prevent DNS cache poisoning — instead of using a single port 53, the system began randomly selecting from thousands of possible options. The combination of a random port and a transaction ID created billions of possibilities, making attacks mathematically infeasible. The new vulnerability partially undermines this protection.
Attackers can exploit this bug in spoofing attacks. If the attack succeeds, BIND caches the attacker’s forged responses instead of legitimate data, redirecting users to malicious resources.
The second vulnerability (CVE-2025-40778) also received a CVSS score of 8.6. The root of this issue is that BIND can be overly tolerant when accepting records from responses. In fact, the server does not validate incoming data strictly enough.
This creates an opportunity to inject forged records directly into the DNS server’s cache. Attackers can supply fake data that will affect the processing of future queries from all users of that server.
The third issue (CVE-2025-8677) received a CVSS score of 7.5 and is a DoS vulnerability. It is triggered when querying records in a specially crafted zone with malformed DNSKEY records. An attacker could exploit this bug to cause CPU resource exhaustion, ultimately leading to a denial of service (DoS).
ISC notes that all three vulnerabilities affect resolvers—servers that handle clients’ DNS queries. Servers that host authoritative DNS records for domains are not affected by these issues.
However, the real-world risk of the discovered issues is further limited by several factors. For example, Red Hat experts do not consider CVE-2025-40780 critical, as exploiting the bug is quite difficult and requires network-level spoofing with precise timing. Moreover, the vulnerability affects only the integrity of the cache and does not compromise the server itself.
It is also emphasized that a number of defensive measures continue to work: DNSSEC, rate limiting, and the use of firewalls remain effective barriers against cache-poisoning attacks.
All three issues have been fixed in BIND versions 9.18.41, 9.20.15, and 9.21.14. For the commercial BIND Supported Preview Edition, versions 9.18.41-S1 and 9.20.15-S1 have been released.
ISC strongly recommends that everyone update as soon as possible. Organizations that still use old and unsupported versions of the DNS server should migrate to the current release.
It should also be noted that the same researchers discovered similar vulnerabilities in another popular DNS resolver, Unbound, although the issues there were rated even lower — 5.6 on the CVSS scale.