| Name | CVE-2025-40777 |
| Description | If a `named` caching resolver is configured with `serve-stale-enable` `yes`, and with `stale-answer-client-timeout` set to `0` (the only allowable value other than `disabled`), and if the resolver, in the process of resolving a query, encounters a CNAME chain involving a specific combination of cached or authoritative records, the daemon will abort with an assertion failure. This issue affects BIND 9 versions 9.20.0 through 9.20.10, 9.21.0 through 9.21.9, and 9.20.9-S1 through 9.20.10-S1. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| bind9 (PTS) | bullseye | 1:9.16.50-1~deb11u2 | vulnerable |
| bullseye (security) | 1:9.16.50-1~deb11u3 | vulnerable | |
| bookworm, bookworm (security) | 1:9.18.33-1~deb12u2 | vulnerable | |
| forky, sid, trixie | 1:9.20.11-4 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| bind9 | source | (unstable) | 1:9.20.11-1 |
[bullseye] - bind9 <postponed> (Minor issue)
https://kb.isc.org/docs/cve-2025-40777
Fixed by: https://gitlab.isc.org/isc-projects/bind9/-/commit/9c7a63142dacb2e16c64719f57d1191298af4393 (v9.20.11)