CVE-2025-8677

EUVD-2025-35583
Querying for records within a specially crafted zone containing certain malformed DNSKEY records can lead to CPU exhaustion.
This issue affects BIND 9 versions 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.
Amplification
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 10%
Debian logo
Debian Releases
Debian Product
Codename
bind9
bookworm
1:9.18.47-1~deb12u1
fixed
bookworm (security)
1:9.18.49-1~deb12u1
fixed
bullseye
vulnerable
bullseye (security)
1:9.16.50-1~deb11u5
fixed
forky
1:9.20.22-1
fixed
sid
1:9.20.23-1
fixed
trixie
1:9.20.21-1~deb13u1
fixed
trixie (security)
1:9.20.23-1~deb13u1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
bind9
bionic
needed
focal
Fixed 1:9.18.30-0ubuntu0.20.04.2+esm1
released
jammy
Fixed 1:9.18.39-0ubuntu0.22.04.2
released
noble
Fixed 1:9.18.39-0ubuntu0.24.04.2
released
plucky
Fixed 1:9.20.11-0ubuntu0.2
released
questing
Fixed 1:9.20.11-1ubuntu2.1
released
resolute
Fixed 1:9.20.11-1ubuntu3
released
trusty
needs-triage
xenial
needs-triage
isc-dhcp
bionic
needs-triage
focal
not-affected
jammy
not-affected
noble
needs-triage
plucky
ignored
questing
needs-triage
resolute
needs-triage
trusty
not-affected
xenial
not-affected
bind9-libs
focal
needs-triage
jammy
needs-triage
noble
dne
plucky
dne
questing
dne
resolute
dne
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
bind
suse enterprise sap 15 SP6
9.18.33-150600.3.18.1
fixed
suse enterprise sap 15 SP7
9.20.15-150700.3.12.1
fixed
suse enterprise server 15 SP6
9.18.33-150600.3.18.1
fixed
suse enterprise server 15 SP7
9.20.15-150700.3.12.1
fixed
bind-doc
suse enterprise sap 15 SP6
9.18.33-150600.3.18.1
fixed
suse enterprise sap 15 SP7
9.20.15-150700.3.12.1
fixed
suse enterprise server 15 SP6
9.18.33-150600.3.18.1
fixed
suse enterprise server 15 SP7
9.20.15-150700.3.12.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
bind
RHEL 9
32:9.16.23-40.el9_8.1
fixed
bind-chroot
RHEL 9
32:9.16.23-40.el9_8.1
fixed
bind-devel
RHEL 9
32:9.16.23-40.el9_8.1
fixed
bind-dnssec-doc
RHEL 9
32:9.16.23-40.el9_8.1
fixed
bind-dnssec-utils
RHEL 9
32:9.16.23-40.el9_8.1
fixed
bind-doc
RHEL 9
32:9.16.23-40.el9_8.1
fixed
bind-libs
RHEL 9
32:9.16.23-40.el9_8.1
fixed
bind-license
RHEL 9
32:9.16.23-40.el9_8.1
fixed
bind-utils
RHEL 9
32:9.16.23-40.el9_8.1
fixed
bind9.18
RHEL 9
32:9.18.29-5.el9_7.2
fixed
bind9.18-chroot
RHEL 9
32:9.18.29-5.el9_7.2
fixed
bind9.18-devel
RHEL 9
32:9.18.29-5.el9_7.2
fixed
bind9.18-dnssec-utils
RHEL 9
32:9.18.29-5.el9_7.2
fixed
bind9.18-doc
RHEL 9
32:9.18.29-5.el9_7.2
fixed
bind9.18-libs
RHEL 9
32:9.18.29-5.el9_7.2
fixed
bind9.18-utils
RHEL 9
32:9.18.29-5.el9_7.2
fixed
python3-bind
RHEL 9
32:9.16.23-40.el9_8.1
fixed
Common Weakness Enumeration
References
https://kb.isc.org/docs/cve-2025-8677
http://www.openwall.com/lists/oss-security/2025/10/22/1