The Internet Systems Consortium (ISC) has disclosed two serious vulnerabilities in BIND 9, one of the most widely deployed DNS resolver software packages. These flaws could allow attackers to perform cache poisoning or cause denial-of-service (DoS) conditions, potentially disrupting DNS services and compromising security.
Organizations using affected versions of BIND should review their configurations and apply updates as soon as possible.
- The first vulnerability, a cache poisoning risk from EDNS client subnet (CVE-2025-40776), impacts BIND Subscription Edition versions that have the EDNS Client Subnet (ECS) feature enabled. ECS is intended to improve DNS response accuracy but introduces a risk that attackers can exploit to poison DNS caches. By manipulating DNS queries and exploiting ECS behavior, attackers may inject false DNS data into resolver caches, leading to users being redirected to malicious sites. To mitigate this risk, administrators should either disable ECS if it is not required or upgrade to patched BIND Subscription Edition releases starting with version 9.18.38-S1.
- The second vulnerability, a denial-of-service via assertion failure (CVE-2025-40777), affects BIND versions configured with serve-stale-enable yes and stale-answer-client-timeout set to 0. In these conditions, specially crafted DNS queries can trigger assertion failures, causing the BIND service to crash and deny DNS resolution. This flaw affects BIND versions 9.20.0 through 9.20.10 and 9.21.0 through 9.21.9. Affected users should upgrade to BIND 9.20.11, 9.21.10, or later. As a temporary workaround, disabling stale-answer handling or setting stale-answer-client-timeout to a non-zero value can reduce risk until an upgrade is possible.
Recommended Actions
Organizations should first identify their BIND version and review whether ECS and stale-answer features are enabled, as these settings affect vulnerability exposure. The cache poisoning issue (CVE-2025-40776) impacts BIND Subscription Edition versions 9.11.3-S1 through 9.20.10-S1 with ECS enabled, and is fixed starting with 9.18.38-S1. The denial-of-service flaw (CVE-2025-40777) affects BIND 9.20.0 through 9.20.10 and 9.21.0 through 9.21.9 when configured as described, with fixes available in 9.20.11, 9.21.10, and newer releases.
Because the DoS fix requires BIND 9.20 or higher, organizations running earlier versions should plan an upgrade to at least 9.20.11 to address both vulnerabilities. If immediate upgrading is not feasible, disabling ECS by removing or commenting out the ecs-zones option in named.conf and adjusting stale-answer settings (disabling stale-answer or setting a non-zero timeout) can reduce exposure.
Continuous monitoring of DNS traffic and logs is essential to detect any suspicious activity or exploitation attempts. Staying up to date with ISC’s official advisories and BIND release notes will help keep your DNS infrastructure secure and resilient.
Both vulnerabilities highlight the critical need to keep DNS software current and manage advanced features carefully. Prompt patching is essential to maintain service availability and protect users from DNS-based attacks.
For detailed guidance, refer to ISC’s official security advisories and BIND release notes here.
Leave a Reply