{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-40780", "assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22", "state": "PUBLISHED", "assignerShortName": "isc", "dateReserved": "2025-04-16T08:44:49.857Z", "datePublished": "2025-10-22T15:48:27.146Z", "dateUpdated": "2025-10-22T17:27:49.476Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "404fd4d2-a609-4245-b543-2c944a302a22", "shortName": "isc", "dateUpdated": "2025-10-22T15:48:27.146Z"}, "title": "Cache poisoning due to weak PRNG", "datePublic": "2025-10-22T00:00:00.000Z", "affected": [{"vendor": "ISC", "product": "BIND 9", "versions": [{"version": "9.16.0", "lessThanOrEqual": "9.16.50", "status": "affected", "versionType": "custom"}, {"version": "9.18.0", "lessThanOrEqual": "9.18.39", "status": "affected", "versionType": "custom"}, {"version": "9.20.0", "lessThanOrEqual": "9.20.13", "status": "affected", "versionType": "custom"}, {"version": "9.21.0", "lessThanOrEqual": "9.21.12", "status": "affected", "versionType": "custom"}, {"version": "9.16.8-S1", "lessThanOrEqual": "9.16.50-S1", "status": "affected", "versionType": "custom"}, {"version": "9.18.11-S1", "lessThanOrEqual": "9.18.39-S1", "status": "affected", "versionType": "custom"}, {"version": "9.20.9-S1", "lessThanOrEqual": "9.20.13-S1", "status": "affected", "versionType": "custom"}], "defaultStatus": "unaffected"}], "metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", "baseScore": 8.6, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-341", "description": "CWE-341 Predictable from Observable State"}]}], "descriptions": [{"lang": "en", "value": "In specific circumstances, due to a weakness in the Pseudo Random Number Generator (PRNG) that is used, it is possible for an attacker to predict the source port and query ID that BIND will use.\nThis issue affects BIND 9 versions 9.16.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.16.8-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1."}], "impacts": [{"descriptions": [{"lang": "en", "value": "BIND can be tricked into caching attacker responses, if the spoofing is successful."}]}], "workarounds": [{"lang": "en", "value": "No workarounds known."}], "exploits": [{"lang": "en", "value": "We are not aware of any active exploits."}], "solutions": [{"lang": "en", "value": "Upgrade to the patched release most closely related to your current version of BIND 9: 9.18.41, 9.20.15, 9.21.14, 9.18.41-S1, or 9.20.15-S1."}], "credits": [{"lang": "en", "value": "ISC would like to thank Prof. Amit Klein and Omer Ben Simhon from Hebrew University of Jerusalem for bringing this vulnerability to our attention."}], "references": [{"url": "https://kb.isc.org/docs/cve-2025-40780", "name": "CVE-2025-40780", "tags": ["vendor-advisory"]}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-22T17:27:36.366032Z", "id": "CVE-2025-40780", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-22T17:27:49.476Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-40780", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-22T17:27:36.366032Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-22T17:27:40.722Z"}}], "cna": {"title": "Cache poisoning due to weak PRNG", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "value": "ISC would like to thank Prof. Amit Klein and Omer Ben Simhon from Hebrew University of Jerusalem for bringing this vulnerability to our attention."}], "impacts": [{"descriptions": [{"lang": "en", "value": "BIND can be tricked into caching attacker responses, if the spoofing is successful."}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "ISC", "product": "BIND 9", "versions": [{"status": "affected", "version": "9.16.0", "versionType": "custom", "lessThanOrEqual": "9.16.50"}, {"status": "affected", "version": "9.18.0", "versionType": "custom", "lessThanOrEqual": "9.18.39"}, {"status": "affected", "version": "9.20.0", "versionType": "custom", "lessThanOrEqual": "9.20.13"}, {"status": "affected", "version": "9.21.0", "versionType": "custom", "lessThanOrEqual": "9.21.12"}, {"status": "affected", "version": "9.16.8-S1", "versionType": "custom", "lessThanOrEqual": "9.16.50-S1"}, {"status": "affected", "version": "9.18.11-S1", "versionType": "custom", "lessThanOrEqual": "9.18.39-S1"}, {"status": "affected", "version": "9.20.9-S1", "versionType": "custom", "lessThanOrEqual": "9.20.13-S1"}], "defaultStatus": "unaffected"}], "exploits": [{"lang": "en", "value": "We are not aware of any active exploits."}], "solutions": [{"lang": "en", "value": "Upgrade to the patched release most closely related to your current version of BIND 9: 9.18.41, 9.20.15, 9.21.14, 9.18.41-S1, or 9.20.15-S1."}], "datePublic": "2025-10-22T00:00:00.000Z", "references": [{"url": "https://kb.isc.org/docs/cve-2025-40780", "name": "CVE-2025-40780", "tags": ["vendor-advisory"]}], "workarounds": [{"lang": "en", "value": "No workarounds known."}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "In specific circumstances, due to a weakness in the Pseudo Random Number Generator (PRNG) that is used, it is possible for an attacker to predict the source port and query ID that BIND will use.\nThis issue affects BIND 9 versions 9.16.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.16.8-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-341", "description": "CWE-341 Predictable from Observable State"}]}], "providerMetadata": {"orgId": "404fd4d2-a609-4245-b543-2c944a302a22", "shortName": "isc", "dateUpdated": "2025-10-22T15:48:27.146Z"}}}, "cveMetadata": {"cveId": "CVE-2025-40780", "state": "PUBLISHED", "dateUpdated": "2025-10-22T17:27:49.476Z", "dateReserved": "2025-04-16T08:44:49.857Z", "assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22", "datePublished": "2025-10-22T15:48:27.146Z", "assignerShortName": "isc"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In specific circumstances, due to a weakness in the Pseudo Random Number Generator (PRNG) that is used, it is possible for an attacker to predict the source port and query ID that BIND will use.\nThis issue affects BIND 9 versions 9.16.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.16.8-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1."}], "id": "CVE-2025-40780", "lastModified": "2025-10-22T21:12:32.330", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "security-officer@isc.org", "type": "Primary"}]}, "published": "2025-10-22T16:15:42.720", "references": [{"source": "security-officer@isc.org", "url": "https://kb.isc.org/docs/cve-2025-40780"}], "sourceIdentifier": "security-officer@isc.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-341"}], "source": "security-officer@isc.org", "type": "Secondary"}]}

{"bugzilla": {"description": "bind: Cache poisoning due to weak PRNG", "id": "2405829", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2405829"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", "status": "draft"}, "cwe": "CWE-338", "details": ["A vulnerability was found in BIND resolvers caused by a weakness in the Pseudo Random Number Generator (PRNG). This weakness allows an attacker to potentially predict the source port and query ID used by BIND, enabling cache poisoning attacks. If successful, the attacker can inject malicious DNS responses into the resolver\u2019s cache, causing clients to receive spoofed DNS data. Authoritative servers are generally unaffected, but recursive resolvers are exposed to this risk. Exploitation is remote and does not require user interaction."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.\nTo reduce risk, restrict recursive queries to trusted or internal networks only, and apply rate limiting or firewall rules to prevent excessive or repetitive requests. Enabling DNSSEC validation helps reject forged records, while isolating recursive resolvers from authoritative servers limits the impact of potential cache poisoning. Active monitoring of CPU usage, query volume, and cache anomalies can provide early warning of abuse or attacks."}, "name": "CVE-2025-40780", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "bind", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Affected", "package_name": "bind", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "bind", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "bind", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "bind9.16", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "bind", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "bind9.18", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "dhcp", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2025-10-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-40780\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-40780"], "statement": "This vulnerability in BIND 9 resolvers caused by a weakness in the Pseudo Random Number Generator (PRNG) used to select the UDP source port and DNS query (transaction) ID. Exploitation requires an attacker to correctly predict both values and race the legitimate authoritative response with a spoofed packet to perform cache poisoning. While the PRNG weakness reduces entropy and makes prediction feasible under certain conditions, this still requires precise timing, on-path or spoofing capabilities, and targeting of recursive resolvers.\nThe impact is limited to resolver cache integrity; it does not allow remote code execution, privilege escalation, or direct compromise of the BIND server itself. Authoritative servers are not affected. Additionally, operational mitigations such as DNSSEC validation, access control restricting recursion, and network-level packet filtering reduce real-world exploitability. No active exploits have been observed in the wild.\nBecause exploitation is non-trivial, requires network-level spoofing and precise timing, and only affects cache integrity without server compromise, the vulnerability is considered Important rather than Critical.", "threat_severity": "Important"}