{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-40776", "assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22", "state": "PUBLISHED", "assignerShortName": "isc", "dateReserved": "2025-04-16T08:44:49.856Z", "datePublished": "2025-07-16T13:41:01.337Z", "dateUpdated": "2025-07-22T14:55:04.420Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "404fd4d2-a609-4245-b543-2c944a302a22", "shortName": "isc", "dateUpdated": "2025-07-16T13:41:01.337Z"}, "title": "Birthday Attack against Resolvers supporting ECS", "datePublic": "2025-07-16T00:00:00.000Z", "affected": [{"vendor": "ISC", "product": "BIND 9", "versions": [{"version": "9.11.3-S1", "lessThanOrEqual": "9.16.50-S1", "status": "affected", "versionType": "custom"}, {"version": "9.18.11-S1", "lessThanOrEqual": "9.18.37-S1", "status": "affected", "versionType": "custom"}, {"version": "9.20.9-S1", "lessThanOrEqual": "9.20.10-S1", "status": "affected", "versionType": "custom"}, {"version": "9.0.0", "lessThanOrEqual": "9.20.10", "status": "unaffected", "versionType": "custom"}], "defaultStatus": "unaffected"}], "metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", "baseScore": 8.6, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-349", "description": "CWE-349 Acceptance of Extraneous Untrusted Data With Trusted Data"}]}], "descriptions": [{"lang": "en", "value": "A `named` caching resolver that is configured to send ECS (EDNS Client Subnet) options may be vulnerable to a cache-poisoning attack.\nThis issue affects BIND 9 versions 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.37-S1, and 9.20.9-S1 through 9.20.10-S1."}], "impacts": [{"descriptions": [{"lang": "en", "value": "A resolver configured to send ECS options to authoritative servers can be compelled to make queries that slightly increase the odds of guessing the source port and other details necessary to bypass the original birthday cache poisoning attack mitigations. As a result of this weakness, a resolver with ECS enabled is more vulnerable to successful cache poisoning via spoofed query responses than one that does not implement this feature."}]}], "workarounds": [{"lang": "en", "value": "Disable ECS in BIND by removing the `ecs-zones` option from `named.conf`."}], "exploits": [{"lang": "en", "value": "We are not aware of any active exploits."}], "solutions": [{"lang": "en", "value": "Upgrade to the patched release most closely related to your current version of BIND 9: 9.18.38-S1 or 9.20.11-S1."}], "credits": [{"lang": "en", "value": "ISC would like to thank Xiang Li from AOSP Lab of Nankai University for bringing this vulnerability to our attention."}], "references": [{"url": "https://kb.isc.org/docs/cve-2025-40776", "name": "CVE-2025-40776", "tags": ["vendor-advisory"]}], "source": {"discovery": "EXTERNAL"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-22T14:54:56.292632Z", "id": "CVE-2025-40776", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-22T14:55:04.420Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-40776", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-22T14:54:56.292632Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-22T14:55:00.920Z"}}], "cna": {"title": "Birthday Attack against Resolvers supporting ECS", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "value": "ISC would like to thank Xiang Li from AOSP Lab of Nankai University for bringing this vulnerability to our attention."}], "impacts": [{"descriptions": [{"lang": "en", "value": "A resolver configured to send ECS options to authoritative servers can be compelled to make queries that slightly increase the odds of guessing the source port and other details necessary to bypass the original birthday cache poisoning attack mitigations. As a result of this weakness, a resolver with ECS enabled is more vulnerable to successful cache poisoning via spoofed query responses than one that does not implement this feature."}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "ISC", "product": "BIND 9", "versions": [{"status": "affected", "version": "9.11.3-S1", "versionType": "custom", "lessThanOrEqual": "9.16.50-S1"}, {"status": "affected", "version": "9.18.11-S1", "versionType": "custom", "lessThanOrEqual": "9.18.37-S1"}, {"status": "affected", "version": "9.20.9-S1", "versionType": "custom", "lessThanOrEqual": "9.20.10-S1"}, {"status": "unaffected", "version": "9.0.0", "versionType": "custom", "lessThanOrEqual": "9.20.10"}], "defaultStatus": "unaffected"}], "exploits": [{"lang": "en", "value": "We are not aware of any active exploits."}], "solutions": [{"lang": "en", "value": "Upgrade to the patched release most closely related to your current version of BIND 9: 9.18.38-S1 or 9.20.11-S1."}], "datePublic": "2025-07-16T00:00:00.000Z", "references": [{"url": "https://kb.isc.org/docs/cve-2025-40776", "name": "CVE-2025-40776", "tags": ["vendor-advisory"]}], "workarounds": [{"lang": "en", "value": "Disable ECS in BIND by removing the `ecs-zones` option from `named.conf`."}], "descriptions": [{"lang": "en", "value": "A `named` caching resolver that is configured to send ECS (EDNS Client Subnet) options may be vulnerable to a cache-poisoning attack.\nThis issue affects BIND 9 versions 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.37-S1, and 9.20.9-S1 through 9.20.10-S1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-349", "description": "CWE-349 Acceptance of Extraneous Untrusted Data With Trusted Data"}]}], "providerMetadata": {"orgId": "404fd4d2-a609-4245-b543-2c944a302a22", "shortName": "isc", "dateUpdated": "2025-07-16T13:41:01.337Z"}}}, "cveMetadata": {"cveId": "CVE-2025-40776", "state": "PUBLISHED", "dateUpdated": "2025-07-22T14:55:04.420Z", "dateReserved": "2025-04-16T08:44:49.856Z", "assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22", "datePublished": "2025-07-16T13:41:01.337Z", "assignerShortName": "isc"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A `named` caching resolver that is configured to send ECS (EDNS Client Subnet) options may be vulnerable to a cache-poisoning attack.\nThis issue affects BIND 9 versions 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.37-S1, and 9.20.9-S1 through 9.20.10-S1."}], "id": "CVE-2025-40776", "lastModified": "2025-07-16T14:58:59.837", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "security-officer@isc.org", "type": "Primary"}]}, "published": "2025-07-16T14:15:25.053", "references": [{"source": "security-officer@isc.org", "url": "https://kb.isc.org/docs/cve-2025-40776"}], "sourceIdentifier": "security-officer@isc.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-349"}], "source": "security-officer@isc.org", "type": "Secondary"}]}

{}