Assertion Failure in BIND 9 Caching Resolver with Stale Answers Enabled by Internet Systems Consortium
CVE-2025-40777

7.5HIGH

Key Information:

Vendor

Isc
Status
Bind 9
Vendor
CVE Published:
16 July 2025

Badges

👾 Exploit Exists

What is CVE-2025-40777?

Affects BIND 9 when configured to allow stale answers. Specifically, if 'serve-stale-enable' is set to 'yes' and 'stale-answer-client-timeout' is '0', the resolver can crash upon encountering specific CNAME chains during query resolution, resulting in an assertion failure that disrupts service. This impacts various BIND 9 versions, necessitating immediate attention and remediation to prevent service impacts.

Affected Version(s)

BIND 9 9.20.0 <= 9.20.10

BIND 9 9.21.0 <= 9.21.9

BIND 9 9.20.9-S1 <= 9.20.10-S1

References

https://kb.isc.org/docs/cve-2025-40777
vendor-advisory

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-40777 : Assertion Failure in BIND 9 Caching Resolver with Stale Answers Enabled by Internet Systems Consortium