CVE-2025-40777
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-16

Last updated on: 2025-11-04

Assigner: Internet Systems Consortium (ISC)

Description
If a `named` caching resolver is configured with `serve-stale-enable` `yes`, and with `stale-answer-client-timeout` set to `0` (the only allowable value other than `disabled`), and if the resolver, in the process of resolving a query, encounters a CNAME chain involving a specific combination of cached or authoritative records, the daemon will abort with an assertion failure. This issue affects BIND 9 versions 9.20.0 through 9.20.10, 9.21.0 through 9.21.9, and 9.20.9-S1 through 9.20.10-S1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-16
Last Modified
2025-11-04
Generated
2026-05-06
AI Q&A
2025-07-16
EPSS Evaluated
2026-05-05
NVD
CVE-2025-40777
Affected Vendors & Products
Showing 26 associated CPEs
Vendor Product Version / Range
isc bind 9.20.0
isc bind 9.20.11
isc bind 9.20.9-s1
isc bind 9.21.1
isc bind 9.21.9
isc bind 9.21.6
isc bind 9.21.10
isc bind 9.21.5
isc bind 9.20.1
isc bind 9.20.9
isc bind 9.20.7
isc bind 9.20.5
isc bind 9.21.2
isc bind 9.20.11-s1
isc bind 9.21.8
isc bind 9.20.2
isc bind 9.21.3
isc bind 9.21.7
isc bind 9.21.4
isc bind 9.20.4
isc bind 9.20.10-s1
isc bind 9.20.8
isc bind 9.20.3
isc bind 9.20.6
isc bind 9.20.10
isc bind 9.21.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs in the BIND 9 DNS server when it is configured with 'serve-stale-enable' set to 'yes' and 'stale-answer-client-timeout' set to '0'. Under these conditions, if the resolver encounters a CNAME chain with a specific combination of cached or authoritative records during query resolution, the server daemon will crash due to an assertion failure.


How can this vulnerability impact me? :

The impact of this vulnerability is a denial of service condition where the BIND 9 DNS server daemon aborts unexpectedly, causing DNS resolution failures and potential service disruption.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should avoid configuring the named caching resolver with 'serve-stale-enable' set to 'yes' together with 'stale-answer-client-timeout' set to '0'. Consider disabling 'serve-stale-enable' or setting 'stale-answer-client-timeout' to a value other than '0' or 'disabled'. Additionally, upgrade BIND to a version later than 9.20.10 or 9.21.9 where this issue is fixed.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart