Critical BIND 9 Vulnerability Exposes DNS Servers to Remote Denial-of-Service Attacks
A significant security flaw has been identified in BIND 9, the widely utilized Domain Name System (DNS) server software responsible for translating domain names into IP addresses across the internet. This vulnerability, designated as CVE-2025-13878, allows remote attackers to crash DNS servers by sending specially crafted, malformed DNS records, potentially leading to widespread service disruptions.
Understanding the Vulnerability
The core issue arises from BIND 9’s improper handling of malformed BRID (Breadth-first Record ID) and HHIT (Host Hash Information Table) records within its ‘named’ daemon. When a DNS server processes a request containing these corrupted records, the daemon can terminate unexpectedly, resulting in a complete service outage. This denial-of-service (DoS) condition affects both authoritative nameservers and DNS resolvers, expanding the potential impact across various network architectures.
Technical Details
– CVE Identifier: CVE-2025-13878
– Title: Malformed BRID/HHIT records can cause ‘named’ to terminate unexpectedly
– Affected Software: BIND 9 (DNS Server)
– Vulnerability Type: Denial of Service (DoS)
– Attack Vector: Network (Remote)
– CVSS v3.1 Score: 7.5 (High)
– CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
The vulnerability’s high CVSS score underscores its severity, highlighting the ease with which it can be exploited remotely without requiring authentication or user interaction. This accessibility makes the flaw particularly concerning for publicly accessible DNS infrastructure.
Affected Versions and Mitigation
The vulnerability impacts the following BIND 9 versions:
– BIND 9 (Standard):
– Versions 9.18.40 through 9.18.43
– Versions 9.20.13 through 9.20.17
– Versions 9.21.12 through 9.21.16
– BIND Supported Preview Edition (SPE):
– Versions 9.18.40-S1 through 9.18.43-S1
– Versions 9.20.13-S1 through 9.20.17-S1
To address this critical issue, the Internet Systems Consortium (ISC) has released patched versions:
– BIND 9 (Standard):
– Version 9.18.44
– Version 9.20.18
– Version 9.21.17
– BIND SPE (Preview):
– Version 9.18.44-S1
– Version 9.20.18-S1
Organizations utilizing affected versions should prioritize upgrading to these patched releases to mitigate the risk. Currently, no workarounds exist, making patching the only viable mitigation strategy.
Disclosure and Recommendations
ISC publicly disclosed this vulnerability on January 21, 2026, following an early notification issued on January 14, 2026. As of now, no active exploits have been documented in the wild, providing organizations a critical window for proactive remediation before potential exploitation campaigns emerge.
Administrators are strongly advised to:
1. Upgrade Immediately: Apply the latest patched versions corresponding to their BIND 9 deployment.
2. Monitor Systems: Regularly check for unusual activity or unexpected service interruptions.
3. Stay Informed: Keep abreast of updates from ISC and other reputable cybersecurity sources.
ISC acknowledges the security researcher for responsibly disclosing this vulnerability, emphasizing the importance of coordinated vulnerability reporting in maintaining internet security.
Conclusion
The discovery of CVE-2025-13878 highlights the ongoing challenges in securing critical internet infrastructure components like DNS servers. By promptly applying the recommended patches and adhering to best practices, organizations can protect their services from potential disruptions and maintain the integrity of their network operations.
