CVE-2025-40776 (GCVE-0-2025-40776)
Vulnerability from cvelistv5
Published
2025-07-16 13:41
Modified
2025-07-22 14:55
Severity ?
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
CWE
  • CWE-349 - Acceptance of Extraneous Untrusted Data With Trusted Data
Summary
A `named` caching resolver that is configured to send ECS (EDNS Client Subnet) options may be vulnerable to a cache-poisoning attack. This issue affects BIND 9 versions 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.37-S1, and 9.20.9-S1 through 9.20.10-S1.
References
Impacted products
Vendor Product Version
ISC BIND 9 Version: 9.11.3-S1   <
Version: 9.18.11-S1   <
Version: 9.20.9-S1   <
Patch: 9.0.0
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-40776",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-22T14:54:56.292632Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-22T14:55:04.420Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "BIND 9",
          "vendor": "ISC",
          "versions": [
            {
              "lessThanOrEqual": "9.16.50-S1",
              "status": "affected",
              "version": "9.11.3-S1",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.18.37-S1",
              "status": "affected",
              "version": "9.18.11-S1",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.20.10-S1",
              "status": "affected",
              "version": "9.20.9-S1",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "9.20.10",
              "status": "unaffected",
              "version": "9.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "ISC would like to thank Xiang Li from AOSP Lab of Nankai University for bringing this vulnerability to our attention."
        }
      ],
      "datePublic": "2025-07-16T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A `named` caching resolver that is configured to send ECS (EDNS Client Subnet) options may be vulnerable to a cache-poisoning attack.\nThis issue affects BIND 9 versions 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.37-S1, and 9.20.9-S1 through 9.20.10-S1."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "We are not aware of any active exploits."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "A resolver configured to send ECS options to authoritative servers can be compelled to make queries that slightly increase the odds of guessing the source port and other details necessary to bypass the original birthday cache poisoning attack mitigations. As a result of this weakness, a resolver with ECS enabled is more vulnerable to successful cache poisoning via spoofed query responses than one that does not implement this feature."
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-349",
              "description": "CWE-349 Acceptance of Extraneous Untrusted Data With Trusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-16T13:41:01.337Z",
        "orgId": "404fd4d2-a609-4245-b543-2c944a302a22",
        "shortName": "isc"
      },
      "references": [
        {
          "name": "CVE-2025-40776",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://kb.isc.org/docs/cve-2025-40776"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to the patched release most closely related to your current version of BIND 9: 9.18.38-S1 or 9.20.11-S1."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Birthday Attack against Resolvers supporting ECS",
      "workarounds": [
        {
          "lang": "en",
          "value": "Disable ECS in BIND by removing the `ecs-zones` option from `named.conf`."
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22",
    "assignerShortName": "isc",
    "cveId": "CVE-2025-40776",
    "datePublished": "2025-07-16T13:41:01.337Z",
    "dateReserved": "2025-04-16T08:44:49.856Z",
    "dateUpdated": "2025-07-22T14:55:04.420Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-40776\",\"sourceIdentifier\":\"security-officer@isc.org\",\"published\":\"2025-07-16T14:15:25.053\",\"lastModified\":\"2025-07-16T14:58:59.837\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A `named` caching resolver that is configured to send ECS (EDNS Client Subnet) options may be vulnerable to a cache-poisoning attack.\\nThis issue affects BIND 9 versions 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.37-S1, and 9.20.9-S1 through 9.20.10-S1.\"},{\"lang\":\"es\",\"value\":\"Un solucionador de cach\u00e9 con nombre configurado para enviar opciones de ECS (subred de cliente EDNS) podr\u00eda ser vulnerable a un ataque de envenenamiento de cach\u00e9. Este problema afecta a las versiones de BIND 9 de la 9.11.3-S1 a la 9.16.50-S1, de la 9.18.11-S1 a la 9.18.37-S1 y de la 9.20.9-S1 a la 9.20.10-S1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-officer@isc.org\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N\",\"baseScore\":8.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":4.0}]},\"weaknesses\":[{\"source\":\"security-officer@isc.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-349\"}]}],\"references\":[{\"url\":\"https://kb.isc.org/docs/cve-2025-40776\",\"source\":\"security-officer@isc.org\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-40776\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-22T14:54:56.292632Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-22T14:55:00.920Z\"}}], \"cna\": {\"title\": \"Birthday Attack against Resolvers supporting ECS\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"value\": \"ISC would like to thank Xiang Li from AOSP Lab of Nankai University for bringing this vulnerability to our attention.\"}], \"impacts\": [{\"descriptions\": [{\"lang\": \"en\", \"value\": \"A resolver configured to send ECS options to authoritative servers can be compelled to make queries that slightly increase the odds of guessing the source port and other details necessary to bypass the original birthday cache poisoning attack mitigations. As a result of this weakness, a resolver with ECS enabled is more vulnerable to successful cache poisoning via spoofed query responses than one that does not implement this feature.\"}]}], \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"ISC\", \"product\": \"BIND 9\", \"versions\": [{\"status\": \"affected\", \"version\": \"9.11.3-S1\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"9.16.50-S1\"}, {\"status\": \"affected\", \"version\": \"9.18.11-S1\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"9.18.37-S1\"}, {\"status\": \"affected\", \"version\": \"9.20.9-S1\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"9.20.10-S1\"}, {\"status\": \"unaffected\", \"version\": \"9.0.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"9.20.10\"}], \"defaultStatus\": \"unaffected\"}], \"exploits\": [{\"lang\": \"en\", \"value\": \"We are not aware of any active exploits.\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Upgrade to the patched release most closely related to your current version of BIND 9: 9.18.38-S1 or 9.20.11-S1.\"}], \"datePublic\": \"2025-07-16T00:00:00.000Z\", \"references\": [{\"url\": \"https://kb.isc.org/docs/cve-2025-40776\", \"name\": \"CVE-2025-40776\", \"tags\": [\"vendor-advisory\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Disable ECS in BIND by removing the `ecs-zones` option from `named.conf`.\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A `named` caching resolver that is configured to send ECS (EDNS Client Subnet) options may be vulnerable to a cache-poisoning attack.\\nThis issue affects BIND 9 versions 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.37-S1, and 9.20.9-S1 through 9.20.10-S1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-349\", \"description\": \"CWE-349 Acceptance of Extraneous Untrusted Data With Trusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"404fd4d2-a609-4245-b543-2c944a302a22\", \"shortName\": \"isc\", \"dateUpdated\": \"2025-07-16T13:41:01.337Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-40776\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-22T14:55:04.420Z\", \"dateReserved\": \"2025-04-16T08:44:49.856Z\", \"assignerOrgId\": \"404fd4d2-a609-4245-b543-2c944a302a22\", \"datePublished\": \"2025-07-16T13:41:01.337Z\", \"assignerShortName\": \"isc\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.