A high-severity vulnerability has been disclosed in BIND 9, the extensively used DNS server software program chargeable for area title decision throughout tens of millions of web companies.
The vulnerability, tracked as CVE-2025-13878, permits distant attackers to crash DNS servers by sending specifically crafted, malformed DNS information, doubtlessly disrupting crucial web infrastructure and organizational companies.
The vulnerability stems from improper dealing with of malformed BRID (Breadth-first Document ID) and HHIT (Host Hash Info Desk) information inside BIND 9’s named daemon.
FieldValueCVE IdentifierCVE-2025-13878TitleMalformed BRID/HHIT information could cause named to terminate unexpectedlyAffected SoftwareBIND 9 (DNS Server)Vulnerability TypeDenial of Service (DoS)Assault VectorNetwork (Distant)CVSS v3.1 Score7.5CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
When a DNS server receives a request containing corrupted or malicious information of those sorts, the daemon terminates unexpectedly, inflicting an entire service outage.
This denial-of-service (DoS) situation impacts each authoritative nameservers and DNS resolvers, increasing the assault floor throughout numerous community architectures.
The vulnerability carries a CVSS v3.1 severity rating of seven.5 (Excessive), with an assault vector rated as Community-based, requiring no particular privileges or consumer interplay.
This accessibility makes the flaw notably regarding for publicly accessible DNS infrastructure.
BIND Model BranchVulnerable VersionsPatched VersionBIND 9 (Customary)9.18.40 – 9.18.439.18.44BIND 9 (Customary)9.20.13 – 9.20.179.20.18BIND 9 (Customary)9.21.12 – 9.21.169.21.17BIND SPE (Preview)9.18.40-S1 – 9.18.43-S19.18.44-S1BIND SPE (Preview)9.20.13-S1 – 9.20.17-S19.20.18-S1
ISC disclosed this vulnerability publicly on January 21, 2026, following an early notification issued on January 14, 2026. The advisory recommends upgrading to the most recent patched variations.
Notably, no lively exploits are at present documented within the wild, offering organizations a crucial window for proactive remediation earlier than potential exploitation campaigns emerge.
Presently, no workarounds exist, making patching the one viable mitigation technique. Organizations working BIND 9 ought to prioritize updating to the most recent patched variations of their respective branches.
ISC acknowledges the safety researcher for responsibly disclosing this vulnerability, demonstrating the continued significance of coordinated vulnerability reporting.
Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to function your tales.
