CVE-2025-8677
BaseFortify
Publication date: 2025-10-22
Last updated on: 2025-11-04
Assigner: Internet Systems Consortium (ISC)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| isc | bind | 9.20.2 |
| isc | bind | 9.18.24 |
| isc | bind | 9.18.30 |
| isc | bind | 9.21.4 |
| isc | bind | 9.20.10 |
| isc | bind | 9.18.32 |
| isc | bind | 9.21.2 |
| isc | bind | 9.18.5 |
| isc | bind | 9.18.25 |
| isc | bind | 9.21.3 |
| isc | bind | 9.21.10 |
| isc | bind | 9.18.4 |
| isc | bind | 9.21.12 |
| isc | bind | 9.21.0 |
| isc | bind | 9.20.0 |
| isc | bind | 9.21.14 |
| isc | bind | 9.18.26 |
| isc | bind | 9.18.16 |
| isc | bind | 9.21.5 |
| isc | bind | 9.18.23 |
| isc | bind | 9.20.8 |
| isc | bind | 9.18.41 |
| isc | bind | 9.18.20 |
| isc | bind | 9.18.35 |
| isc | bind | 9.18.38 |
| isc | bind | 9.18.10 |
| isc | bind | 9.20.9 |
| isc | bind | 9.18.0 |
| isc | bind | 9.18.22 |
| isc | bind | 9.21.11 |
| isc | bind | 9.20.7 |
| isc | bind | 9.18.14 |
| isc | bind | 9.18.19 |
| isc | bind | 9.18.18 |
| isc | bind | 9.21.7 |
| isc | bind | 9.18.13 |
| isc | bind | 9.21.1 |
| isc | bind | 9.20.11 |
| isc | bind | 9.20.13 |
| isc | bind | 9.18.12 |
| isc | bind | 9.18.8 |
| isc | bind | 9.18.9 |
| isc | bind | 9.20.5 |
| isc | bind | 9.18.15 |
| isc | bind | 9.18.29 |
| isc | bind | 9.18.2 |
| isc | bind | 9.18.3 |
| isc | bind | 9.20.1 |
| isc | bind | 9.18.7 |
| isc | bind | 9.18.34 |
| isc | bind | 9.20.15 |
| isc | bind | 9.18.28 |
| isc | bind | 9.18.31 |
| isc | bind | 9.18.21 |
| isc | bind | 9.18.39 |
| isc | bind | 9.21.8 |
| isc | bind | 9.18.1 |
| isc | bind | 9.18.11 |
| isc | bind | 9.18.33 |
| isc | bind | 9.21.9 |
| isc | bind | 9.18.17 |
| isc | bind | 9.20.4 |
| isc | bind | 9.20.12 |
| isc | bind | 9.18.37 |
| isc | bind | 9.20.6 |
| isc | bind | 9.18.27 |
| isc | bind | 9.20.3 |
| isc | bind | 9.18.36 |
| isc | bind | 9.21.6 |
| isc | bind | 9.18.6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-405 | The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric." |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in BIND 9 DNS resolver software occurs when a query is made for records within a specially crafted DNS zone containing malformed DNSKEY records. Handling these malformed records causes excessive CPU usage, leading to resource exhaustion. This can degrade performance significantly and potentially cause denial of service (DoS) for legitimate clients. The issue affects multiple BIND 9 versions and is remotely exploitable without authentication. [1]
How can this vulnerability impact me? :
The vulnerability can cause your DNS resolver to experience high CPU usage when processing queries involving malformed DNSKEY records, leading to performance degradation and possible denial of service. This means legitimate DNS queries may be delayed or dropped, impacting availability of DNS services relying on the affected BIND 9 versions. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There are no specific detection commands or methods provided for this vulnerability. The issue involves CPU exhaustion triggered by querying specially crafted DNS zones with malformed DNSKEY records, but no detection commands or network indicators are described. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade BIND 9 to the patched versions: 9.18.41, 9.20.15, 9.21.14, or the corresponding Supported Preview Editions 9.18.41-S1 and 9.20.15-S1. No workarounds are currently known. [1]