BIND 9.18.44, 9.20.18, and 9.21.17 have been released by the Internet Systems Consortium (ISC) to address a serious security vulnerability in their Domain Name System software. This flaw, identified as CVE-2025-13878, allows attackers to remotely trigger a crash in the named service if it receives malformed or malicious requests. The affected versions span several release cycles, and ISC advises prioritizing system security by patching these vulnerabilities as soon as possible. You can download the latest versions directly from ISC's dedicated download directories, including full source tarballs and cryptographic signatures for verification.

BIND 9.18.44, 9.20.18, and 9.21.17 released

ISC has just released new versions of BIND 9, you know, the Domain Name System software from the Internet Systems Consortium. These updates aim to address identified security vulnerabilities and enhance overall system performance.

These January 2026 maintenance releases are ideal for those who prioritize system security and smooth operation. They offer bug fixes, some feature enhancements, and importantly, patches for a serious issue.

The problem involves how BIND handles certain malformed records, specifically BRID/HHIT ones. This vulnerability can cause the named service (BIND's main DNS server) to crash unexpectedly if it receives these kinds of corrupted or malicious requests. ISC detailed this vulnerability in their most recent security advisory, tagged with CVE-2025-13878.

This flaw is particularly nasty because it affects both authoritative name servers and resolver systems, the different types of BIND installations that run DNS services. So, if you manage any BIND 9 setup, whether it's an authoritative server or a resolver used by others, this update should definitely be on your radar as soon as possible.

The affected versions span several release cycles: older stable releases like 9.18 up through 43 and newer ones from 9.20 starting at version 13 all the way to 17, plus some preview editions of BIND's latest software for these same major versions, namely 9.21.12 up to 9.21.16.

ISC gave this vulnerability a CVSS score of 7.5, which suggests it could be quite impactful if exploited. Worse, attackers can trigger it remotely, meaning they don't even need physical access to your server or resolver setup. If you're running BIND externally facing or handling internal requests without proper validation, you should patch quickly.

You can grab the latest versions directly from their dedicated download directories:

• The update for the 9.18 line is here: 

  https://downloads.isc.org/isc/bind9/9.18.44/ 

• For BIND 9.20, head over to this URL: 

  https://downloads.isc.org/isc/bind9/9.20.18/ 

• And for the latest stable version in the 9.21 series, you'll find it at: 

  https://downloads.isc.org/isc/bind9/9.21.17/ 

Each package includes a full source tarball as usual, along with cryptographic signatures so you can verify the integrity of the download. There are also release notes included, which provide more specific details about what changes were actually made and why in this latest drop.

If you're looking for other ways to get BIND or need information on different software packages from ISC altogether, their main download page has got you covered.