CVE-2025-13878: High-Severity BIND Flaw Exposes Servers to Remote Crash

The Internet Systems Consortium (ISC) has issued a high-severity security advisory for BIND 9, the software that powers a vast portion of the internet’s Domain Name System (DNS) infrastructure. A newly discovered vulnerability, tracked as CVE-2025-13878, allows remote attackers to crash BIND servers with a single malicious packet, potentially causing widespread denial-of-service (DoS) outages.

The flaw carries a CVSS score of 7.5 and is marked as “Remotely” exploitable, meaning attackers can trigger the crash from across the internet without needing local access or authentication.

The vulnerability lies in how the named process—the core daemon of BIND—handles specific types of DNS records. According to the advisory, the issue is triggered by invalid data structures related to BRID and HHIT records.

“Malformed BRID/HHIT records can cause named to terminate unexpectedly,” the advisory states.

While these record types are less common than standard A or AAAA records, the parser’s inability to handle corrupt versions of them creates a fragile point in the software.

The impact of this vulnerability is straightforward but disruptive. By sending a specially crafted query, an adversary can force the DNS server to shut down.

“An attacker can cause named to crash by sending a request that results in a corrupt or malicious record,” the advisory warns.

This risk applies to the entire ecosystem of BIND deployments. The ISC confirmed that both “Authoritative servers are affected by this vulnerability” and “Resolvers are affected by this vulnerability,” leaving no configuration safe from the potential crash.

The vulnerability was reported by Vlatko Kosturjak from Marlink Cyber.

Network administrators are urged to check their BIND versions immediately. The vulnerability affects the following branches:

• BIND 9.18: Versions 9.18.40 through 9.18.43
• BIND 9.20: Versions 9.20.13 through 9.20.17
• BIND 9.21: Versions 9.21.12 through 9.21.16

Supported Preview Editions are also impacted.

Fortunately, there are “not aware of any active exploits” in the wild at this time. However, given the ubiquity of BIND, organizations should not wait to patch.

The ISC advises users to “Upgrade to the patched release most closely related to your current version of BIND 9,” specifically versions 9.18.44, 9.20.18, and 9.21.17.

Related Posts:

• BIND Security Updates: Patch Your DNS Servers Now
• ISC Patches Multiple High-Severity BIND Vulnerabilities Enabling Cache Poisoning and Denial of Service Attacks
• PyPI’s New Rule: 2FA Verification for All Project Maintainers
• ISC releases the BIND security update to address the high-risk vulnerability