CVE-2025-8677
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-8677, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-10-22

Last updated on: 2025-11-04

Assigner: Internet Systems Consortium (ISC)

Description

Querying for records within a specially crafted zone containing certain malformed DNSKEY records can lead to CPU exhaustion. This issue affects BIND 9 versions 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-10-22
Last Modified
2025-11-04
Generated
2026-07-06
AI Q&A
2025-10-22
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 70 associated CPEs
Vendor Product Version / Range
isc bind 9.20.2
isc bind 9.18.24
isc bind 9.18.30
isc bind 9.21.4
isc bind 9.20.10
isc bind 9.18.32
isc bind 9.21.2
isc bind 9.18.5
isc bind 9.18.25
isc bind 9.21.3
isc bind 9.21.10
isc bind 9.18.4
isc bind 9.21.12
isc bind 9.21.0
isc bind 9.20.0
isc bind 9.21.14
isc bind 9.18.26
isc bind 9.18.16
isc bind 9.21.5
isc bind 9.18.23
isc bind 9.20.8
isc bind 9.18.41
isc bind 9.18.20
isc bind 9.18.35
isc bind 9.18.38
isc bind 9.18.10
isc bind 9.20.9
isc bind 9.18.0
isc bind 9.18.22
isc bind 9.21.11
isc bind 9.20.7
isc bind 9.18.14
isc bind 9.18.19
isc bind 9.18.18
isc bind 9.21.7
isc bind 9.18.13
isc bind 9.21.1
isc bind 9.20.11
isc bind 9.20.13
isc bind 9.18.12
isc bind 9.18.8
isc bind 9.18.9
isc bind 9.20.5
isc bind 9.18.15
isc bind 9.18.29
isc bind 9.18.2
isc bind 9.18.3
isc bind 9.20.1
isc bind 9.18.7
isc bind 9.18.34
isc bind 9.20.15
isc bind 9.18.28
isc bind 9.18.31
isc bind 9.18.21
isc bind 9.18.39
isc bind 9.21.8
isc bind 9.18.1
isc bind 9.18.11
isc bind 9.18.33
isc bind 9.21.9
isc bind 9.18.17
isc bind 9.20.4
isc bind 9.20.12
isc bind 9.18.37
isc bind 9.20.6
isc bind 9.18.27
isc bind 9.20.3
isc bind 9.18.36
isc bind 9.21.6
isc bind 9.18.6

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-405 The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in BIND 9 DNS resolver software occurs when a query is made for records within a specially crafted DNS zone containing malformed DNSKEY records. Handling these malformed records causes excessive CPU usage, leading to resource exhaustion. This can degrade performance significantly and potentially cause denial of service (DoS) for legitimate clients. The issue affects multiple BIND 9 versions and is remotely exploitable without authentication. [1]

Impact Analysis

The vulnerability can cause your DNS resolver to experience high CPU usage when processing queries involving malformed DNSKEY records, leading to performance degradation and possible denial of service. This means legitimate DNS queries may be delayed or dropped, impacting availability of DNS services relying on the affected BIND 9 versions. [1]

Detection Guidance

There are no specific detection commands or methods provided for this vulnerability. The issue involves CPU exhaustion triggered by querying specially crafted DNS zones with malformed DNSKEY records, but no detection commands or network indicators are described. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade BIND 9 to the patched versions: 9.18.41, 9.20.15, 9.21.14, or the corresponding Supported Preview Editions 9.18.41-S1 and 9.20.15-S1. No workarounds are currently known. [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-8677. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart