A serious security flaw in the widely used BIND DNS software can let attackers crash DNS servers with a single malicious packet. The flaw, tracked as CVE-2025-40775, affects specific versions of BIND and has been rated high severity.
The Internet Systems Consortium (ISC) released updates on May 21, 2025, to fix the issue in BIND versions 9.18.37, 9.20.9, and 9.21.8. Versions 9.20.0 to 9.20.8 and 9.21.0 to 9.21.7 are vulnerable. The older 9.18.x Extended Support Version (ESV) is not affected.
How the Attack Works
The flaw is related to how BIND handles Transaction Signatures (TSIG), a method used to secure DNS messages between servers. When a DNS message with a TSIG is processed and contains an invalid algorithm field, vulnerable BIND versions crash with an assertion failure.
The issue is categorized under CWE-232 (Improper Handling of Undefined Values) and has a CVSS score of 7.5, marking it as a high-risk vulnerability.
Because the error occurs early in the packet processing stage, attackers only need to send one malformed packet from anywhere on the internet to trigger a denial-of-service (DoS). No login or access credentials are required.
Impact and Risk
This flaw can affect both authoritative and recursive DNS servers. Standard security measures like access control lists (ACLs) do not block the exploit.
DNS servers play a critical role by translating website names into IP addresses. Disrupting their function could impact large parts of the internet. Security researcher Rob Graham has warned that similar past vulnerabilities showed how easily attackers could crash large numbers of public-facing DNS servers.
Affected Versions
| Product | Affected Versions | Impact | CVSS Score |
|---|---|---|---|
| BIND 9 | 9.20.0 – 9.20.8, 9.21.0 – 9.21.7 | Denial of Service (Crash) | 7.5 (High) |
Mitigation Steps
Organizations should immediately update to the patched versions: BIND 9.20.9 or 9.21.8. These versions are available from the ISC download page.
There are currently no workarounds available, and patching is the only effective protection. Administrators should also note that the 9.18.x ESV branch is not vulnerable.
The ISC recommends regularly checking for updates and staying current on platform support timelines. Support for RHEL 7 ended in June 2024, and future BIND versions will not support it.
