CVE-2025-40777

NameCVE-2025-40777
DescriptionIf a `named` caching resolver is configured with `serve-stale-enable` `yes`, and with `stale-answer-client-timeout` set to `0` (the only allowable value other than `disabled`), and if the resolver, in the process of resolving a query, encounters a CNAME chain involving a specific combination of cached or authoritative records, the daemon will abort with an assertion failure. This issue affects BIND 9 versions 9.20.0 through 9.20.10, 9.21.0 through 9.21.9, and 9.20.9-S1 through 9.20.10-S1.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
bind9 (PTS)bullseye1:9.16.50-1~deb11u2vulnerable
bullseye (security)1:9.16.50-1~deb11u3vulnerable
bookworm, bookworm (security)1:9.18.33-1~deb12u2vulnerable
forky, sid, trixie1:9.20.11-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
bind9source(unstable)1:9.20.11-1

Notes

[bullseye] - bind9 <postponed> (Minor issue)
https://kb.isc.org/docs/cve-2025-40777
Fixed by: https://gitlab.isc.org/isc-projects/bind9/-/commit/9c7a63142dacb2e16c64719f57d1191298af4393 (v9.20.11)

Search for package or bug name: Reporting problems