ISC Warns of Cache Poisoning and Crash Risks in BIND: What You Need to Know About CVE-2025-40776 and CVE-2025-40777

The Internet Systems Consortium (ISC) has issued two security advisories addressing two high-impact vulnerabilities in BIND, its widely used Domain Name System (DNS) software. The vulnerabilities, tracked as CVE-2025-40776 and CVE-2025-40777, affect specific preview editions of BIND and expose organizations to cache poisoning and denial-of-service risks.

CVE-2025-40776: ECS Feature Opens Door to Birthday Attack

The first vulnerability, CVE-2025-40776 (CVSS 8.6), exploits the EDNS Client Subnet (ECS) feature in BIND resolvers. This feature—designed to improve geo-based DNS resolution—can inadvertently weaken existing defenses against cache poisoning.

“A resolver configured to send ECS options to authoritative servers can be compelled to make queries that slightly increase the odds of guessing the source port and other details necessary to bypass the original birthday cache poisoning attack mitigations,” the ISC advisory explains.

In simpler terms, enabling ECS creates conditions similar to those exploited in birthday attacks—a class of vulnerabilities that rely on the statistical probability of collisions in randomized elements like DNS transaction IDs and source ports. A successful attacker could inject falsified DNS responses into a resolver’s cache, redirecting users to malicious sites.

Affected Versions

This flaw impacts BIND Supported Preview Editions, specifically:

• 9.11.3-S1 through 9.16.50-S1
• 9.18.11-S1 through 9.18.37-S1
• 9.20.9-S1 through 9.20.10-S1

Notably, regular BIND versions (9.0.0 to 9.20.10) are not affected unless they include the preview ECS feature.

Mitigation and Fix

ISC recommends disabling ECS if not explicitly required:

“Disable ECS in BIND by removing the ecs-zones option from named.conf.”

A complete fix is available by upgrading to:

• BIND 9.18.38-S1
• BIND 9.20.11-S1

There are currently no known active exploits, but given the nature of cache poisoning attacks, proactive patching is highly encouraged.

CVE-2025-40777: Zero Timeout Option May Crash DNS Resolver

The second vulnerability, CVE-2025-40777 (CVSS 7.5), involves a configuration edge case that can trigger a named daemon crash when serving stale data under specific conditions.

“If a named caching resolver is configured with serve-stale-enable yes, and with stale-answer-client-timeout set to 0…, the daemon will abort with an assertion failure,” the advisory explains.

This crash occurs only when a query resolution process traverses a complex CNAME chain with certain cached or authoritative record combinations. In theory, a malicious actor could trigger this condition through crafted DNS queries, resulting in denial of service for affected environments.

Affected Versions

• BIND 9.20.0 through 9.20.10
• BIND 9.21.0 through 9.21.9
• BIND Supported Preview Edition 9.20.9-S1 through 9.20.10-S1

Workaround and Fix

Mitigation is a simple way:

“Setting either stale-answer-client-timeout off; or stale-answer-enable no; in the configuration file will prevent the assertion.”

Permanent remediation is available in:

• BIND 9.20.11
• BIND 9.21.10
• BIND 9.20.11-S1 (Preview Edition)

Like CVE-2025-40776, no in-the-wild exploitation has been observed.

Related Posts:

• BIND Security Updates: Patch Your DNS Servers Now
• ISC releases the BIND security update to address the high-risk vulnerability
• Cloudflare’s 1.1.1.1 DNS Suffers Global Outage Due to Internal Configuration Error
• BIND DNS Server Vulnerable to Remote Crash