BIND 9.18.41, 9.20.15, and 9.21.14 released
ISC has recently released BIND 9.18.41, 9.20.15, and 9.21.14, which contain significant updates to address security vulnerabilities and improve overall performance. In addition to bug fixes and feature enhancements, these releases also provide critical patches for high-severity issues.
The first identified vulnerability is CVE-2025-8677, a resource exhaustion issue stemming from malformed DNSKEY handling. A specifically crafted zone containing corrupted DNSKEY records can cause the server's CPU to become overwhelmed, leading to significant performance degradation and denial of service for legitimate clients.
CVE-2025-40778, a high-severity issue impacting resolvers, addresses a second critical vulnerability. Under specific conditions, BIND becomes too lenient when accepting records based on answers, allowing attackers to inject forged data into the cache. This flaw can lead to potential resolution issues for future queries if forged records are cached during the query process.
Lastly, CVE-2025-40780 represents a cache poisoning issue arising from a weakness in the Pseudo Random Number Generator (PRNG). In specific circumstances, attackers can predict the source port and query ID that BIND will use. If successful, this can lead to BIND being tricked into caching attacker responses.
These releases highlight the importance of maintaining up-to-date software to mitigate high-severity security risks and ensure reliable DNS services for all users.
