CVE-2025-8677
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-22

Last updated on: 2025-11-04

Assigner: Internet Systems Consortium (ISC)

Description
Querying for records within a specially crafted zone containing certain malformed DNSKEY records can lead to CPU exhaustion. This issue affects BIND 9 versions 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-22
Last Modified
2025-11-04
Generated
2026-06-16
AI Q&A
2025-10-22
EPSS Evaluated
2026-06-15
NVD
CVE-2025-8677
Affected Vendors & Products
Showing 70 associated CPEs
Vendor Product Version / Range
isc bind 9.20.2
isc bind 9.18.24
isc bind 9.18.30
isc bind 9.21.4
isc bind 9.20.10
isc bind 9.18.32
isc bind 9.21.2
isc bind 9.18.5
isc bind 9.18.25
isc bind 9.21.3
isc bind 9.21.10
isc bind 9.18.4
isc bind 9.21.12
isc bind 9.21.0
isc bind 9.20.0
isc bind 9.21.14
isc bind 9.18.26
isc bind 9.18.16
isc bind 9.21.5
isc bind 9.18.23
isc bind 9.20.8
isc bind 9.18.41
isc bind 9.18.20
isc bind 9.18.35
isc bind 9.18.38
isc bind 9.18.10
isc bind 9.20.9
isc bind 9.18.0
isc bind 9.18.22
isc bind 9.21.11
isc bind 9.20.7
isc bind 9.18.14
isc bind 9.18.19
isc bind 9.18.18
isc bind 9.21.7
isc bind 9.18.13
isc bind 9.21.1
isc bind 9.20.11
isc bind 9.20.13
isc bind 9.18.12
isc bind 9.18.8
isc bind 9.18.9
isc bind 9.20.5
isc bind 9.18.15
isc bind 9.18.29
isc bind 9.18.2
isc bind 9.18.3
isc bind 9.20.1
isc bind 9.18.7
isc bind 9.18.34
isc bind 9.20.15
isc bind 9.18.28
isc bind 9.18.31
isc bind 9.18.21
isc bind 9.18.39
isc bind 9.21.8
isc bind 9.18.1
isc bind 9.18.11
isc bind 9.18.33
isc bind 9.21.9
isc bind 9.18.17
isc bind 9.20.4
isc bind 9.20.12
isc bind 9.18.37
isc bind 9.20.6
isc bind 9.18.27
isc bind 9.20.3
isc bind 9.18.36
isc bind 9.21.6
isc bind 9.18.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-405 The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in BIND 9 DNS resolver software occurs when a query is made for records within a specially crafted DNS zone containing malformed DNSKEY records. Handling these malformed records causes excessive CPU usage, leading to resource exhaustion. This can degrade performance significantly and potentially cause denial of service (DoS) for legitimate clients. The issue affects multiple BIND 9 versions and is remotely exploitable without authentication. [1]

Impact Analysis

The vulnerability can cause your DNS resolver to experience high CPU usage when processing queries involving malformed DNSKEY records, leading to performance degradation and possible denial of service. This means legitimate DNS queries may be delayed or dropped, impacting availability of DNS services relying on the affected BIND 9 versions. [1]

Detection Guidance

There are no specific detection commands or methods provided for this vulnerability. The issue involves CPU exhaustion triggered by querying specially crafted DNS zones with malformed DNSKEY records, but no detection commands or network indicators are described. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade BIND 9 to the patched versions: 9.18.41, 9.20.15, 9.21.14, or the corresponding Supported Preview Editions 9.18.41-S1 and 9.20.15-S1. No workarounds are currently known. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-8677. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart