CVE-2025-8677

Published Oct 22, 2025

Last updated 17 days ago

CVSS high 7.5
Dns
Port (53)

Overview

Description
Querying for records within a specially crafted zone containing certain malformed DNSKEY records can lead to CPU exhaustion. This issue affects BIND 9 versions 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.
Source
security-officer@isc.org
NVD status
Deferred

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity
HIGH

Weaknesses

security-officer@isc.org
CWE-405

Social media

Hype score
Not currently trending

  1. Just published a security advisory on CVE-2025-8677. This isn't just another vulnerability. Read more: 👉 https://t.co/OnNW8BDYGU #Security #Fedora https://t.co/aGTCTv9YSt

    @Cezar_H_Linux

    16 Nov 2025

    45 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Just published: A deep-dive on the critical #Fedora 42 DNS vulnerabilities. The post covers the technical details of CVE-2025-8677 (that DNSSEC validation break) and the related spoofing/poisoning flaws. 👉 https://t.co/EeTMQKx4eA #Security https://t.co/um6EsuXYh1

    @Cezar_H_Linux

    30 Oct 2025

    35 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. DNSソフト「BIND 9」に深刻な欠陥が3件(CVE-2025-8677、CVE-2025-40778、CVE-2025-40780)見つかり、ISCが10月22日に公表した。攻撃者がキャッシュ汚染やDoSを引き起こす恐れがある。

    @yousukezan

    23 Oct 2025

    911 Impressions

    0 Retweets

    3 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  4. ISCは、BIND 9におけるDNSKEYレコード処理の不具合を利用したリソース枯渇脆弱性(CVE-2025-8677)を公開しました。特別に細工されたゾーンに対する問い合わせを処理するだけで、リゾルバがCPU過負荷に陥り、全体

    @t_nihonmatsu

    23 Oct 2025

    530 Impressions

    2 Retweets

    6 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  5. 【注意喚起】(緊急)BIND 9.xの脆弱性(過剰なCPU負荷の誘発)について(CVE-2025-8677) - バージョンアップを強く推奨 - https://t.co/4qP5Sg13is

    @JPRS_official

    23 Oct 2025

    519 Impressions

    3 Retweets

    7 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. 【自分用メモ】CVE-2025-8677: Resource exhaustion via malformed DNSKEY handling https://t.co/Ydnfd1akr5

    @OrangeMorishita

    23 Oct 2025

    434 Impressions

    2 Retweets

    4 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. BIND 9 DNSKEY CPU Exhaustion: CVE-2025-8677 A malformed DNSKEY can trigger high CPU usage in BIND 9 servers, risking denial of service for DNS infrastructure. Patch ASAP. For more details, read ZeroPath’s blog on this vuln. #AppSec #InfoSec #DNS https://t.co/o08QpGmCVg

    @ZeroPathLabs

    22 Oct 2025

    65 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  8. oss-sec: ISC has disclosed three vulnerabilities in BIND 9 (CVE-2025-8677, CVE-2025-40778, CVE-2025-40780) https://t.co/W2va6vjq0k

    @teenigma_

    22 Oct 2025

    36 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. CVE-2025-8677: Resource exhaustion via malformed DNSKEY handling Versions affected: BIND •9.18.0 -> 9.18.39 •9.20.0 -> 9.20.13 •9.21.0 -> 9.21.12 https://t.co/ZEXCqXuYAj

    @yo_suematsu

    22 Oct 2025

    118 Impressions

    2 Retweets

    4 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Related CVEs

  1. A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.CVE-2026-3104
  2. If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries). This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.CVE-2026-1519
  3. libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a use-after-free vulnerability in the io_uring subsystem of libfuse allows a local attacker to crash FUSE filesystem processes and potentially execute arbitrary code. When io_uring thread creation fails due to resource exhaustion (e.g., cgroup pids.max), fuse_uring_start() frees the ring pool structure but stores the dangling pointer in the session state, leading to a use-after-free when the session shuts down. The trigger is reliable in containerized environments where cgroup pids.max limits naturally constrain thread creation. This issue has been patched in version 3.18.2.CVE-2026-33150
  4. dns_unpack_name() caches the buffer tailroom once and reuses it while appending DNS labels. As the buffer grows, the cached size becomes incorrect, and the final null terminator can be written past the buffer. With assertions disabled (default), a malicious DNS response can trigger an out-of-bounds write when CONFIG_DNS_RESOLVER is enabled.CVE-2026-1678
  5. Malformed BRID/HHIT records can cause `named` to terminate unexpectedly. This issue affects BIND 9 versions 9.18.40 through 9.18.43, 9.20.13 through 9.20.17, 9.21.12 through 9.21.16, 9.18.40-S1 through 9.18.43-S1, and 9.20.13-S1 through 9.20.17-S1.CVE-2025-13878

References

Sources include official advisories and independent security research.