On 22 October 2025 we (Internet Systems Consortium) disclosed three vulnerabilities affecting our BIND 9 software:
- CVE-2025-8677: Resource exhaustion via malformed DNSKEY handling https://kb.isc.org/docs/cve-2025-8677 - CVE-2025-40778: Cache poisoning attacks with unsolicited RRs https://kb.isc.org/docs/cve-2025-40778 - CVE-2025-40780: Cache poisoning due to weak PRNG https://kb.isc.org/docs/cve-2025-40780 New versions of BIND 9 are available from https://www.isc.org/downloads Operators and package maintainers who prefer to apply patches selectively can find individual vulnerability-specific patches in the "patches" subdirectory of each published release directory: - https://downloads.isc.org/isc/bind9/9.18.41/patches/ - https://downloads.isc.org/isc/bind9/9.20.15/patches/ - https://downloads.isc.org/isc/bind9/9.21.14/patches/ With the public announcement of these vulnerabilities, the embargo period is ended and any updated software packages that have been prepared may be released. -- Best regards, Michał Kępień
