CVE-2025-40780

Summary

In specific circumstances, due to a weakness in the Pseudo Random Number Generator (PRNG) that is used, it is possible for an attacker to predict the source port and query ID that BIND will use. This issue affects BIND 9 versions 9.16.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.16.8-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.

Affected Software

VendorProductVersion RangeStatus
ISCBIND 99.16.0 <= 9.16.50affected
ISCBIND 99.18.0 <= 9.18.39affected
ISCBIND 99.20.0 <= 9.20.13affected
ISCBIND 99.21.0 <= 9.21.12affected
ISCBIND 99.16.8-S1 <= 9.16.50-S1affected
ISCBIND 99.18.11-S1 <= 9.18.39-S1affected
ISCBIND 99.20.9-S1 <= 9.20.13-S1affected

Weaknesses

  • CWE-341: CWE-341 Predictable from Observable State

Workarounds

No workarounds known.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

CVE Program Container

Additional References

References