CVE-2025-40775

Name of the Vulnerable Software and Affected Versions BIND 9 versions 9.20.0 through 9.20.8 BIND 9 versions 9.21.0 through 9.21.7

Description When an incoming DNS protocol message includes a Transaction Signature (TSIG), BIND always checks it. If the TSIG contains an invalid value in the algorithm field, BIND immediately aborts with an assertion failure. This issue can be exploited to perform a denial of service. A remote attacker could possibly use this issue to cause BIND to crash, resulting in a denial of service.

Recommendations To resolve the issue for BIND 9 versions 9.20.0 through 9.20.8, update to version 9.20.9 or later. To resolve the issue for BIND 9 versions 9.21.0 through 9.21.7, update to version 9.21.8 or later. As a temporary workaround, consider restricting access to the TSIG validation function until a patch is available.