CVE-2025-40777

EUVD-2025-21736

16.07.2025, 18:15

If a `named` caching resolver is configured with `serve-stale-enable` `yes`, and with `stale-answer-client-timeout` set to `0` (the only allowable value other than `disabled`), and if the resolver, in the process of resolving a query, encounters a CNAME chain involving a specific combination of cached or authoritative records, the daemon will abort with an assertion failure.
This issue affects BIND 9 versions 9.20.0 through 9.20.10, 9.21.0 through 9.21.9, and 9.20.9-S1 through 9.20.10-S1.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
isc	CNA	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 1%

Debian Releases

Debian Product

Codename

bind9

bookworm	postponed
bookworm (security)	vulnerable
bullseye	postponed
bullseye (security)	vulnerable
forky	1:9.20.20-1 fixed
sid	1:9.20.20-1 fixed
trixie	1:9.20.15-1~deb13u1 fixed
trixie (security)	1:9.20.18-1~deb13u1 fixed

Ubuntu Releases

Ubuntu Product

Codename

bind9

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	not-affected
plucky	Fixed 1:9.20.4-3ubuntu1.2 released
trusty	not-affected
xenial	not-affected

isc-dhcp

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	not-affected
plucky	not-affected
trusty	not-affected
xenial	not-affected

bind9-libs

focal	not-affected
jammy	not-affected
noble	dne
plucky	dne

Common Weakness Enumeration

CWE-617 - Reachable Assertion
The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

References

https://kb.isc.org/docs/cve-2025-40777

http://www.openwall.com/lists/oss-security/2025/07/16/6