“Under specific circumstances, due to a weakness in the pseudo-random number generator (PRNG) used, it is possible for an attacker to predict the source port and request ID that BIND will use,” BIND developers wrote in Wednesday’s disclosure. “BIND may be required to cache responses from attackers, if the impersonation is successful.”
CVE-2025-40778 also raises the possibility of relaunching cache poisoning attacks.
“In certain circumstances, BIND is too lenient when accepting response records, allowing an attacker to inject false data into the cache,” the developers explained. “Forged records can be injected into the cache during a query, which can potentially affect the resolution of future queries.”
Even in such cases, the consequences would be much more limited than the scenario envisioned by Kaminsky. One reason for this is that authoritative servers themselves are not vulnerable. Additionally, as noted here and here by Red Hat, various other countermeasures against cache poisoning remain intact. They include DNSSEC, a protection that requires DNS records to be digitally signed. Additional measures take the form of rate limiting and server firewalling, which are considered best practices.
“As the exploitation is non-trivial, requires network-level impersonation and precise timing, and only affects cache integrity without server compromise, the vulnerability is considered important rather than critical,” Red Hat wrote in its CVE-2025-40780 disclosure.
The vulnerabilities can nevertheless potentially cause damage in certain organizations. Patches for all three should be installed as soon as possible.
