CVE-2025-40775

moderate-risk
Published 2025-05-21

When an incoming DNS protocol message includes a Transaction Signature (TSIG), BIND always checks it. If the TSIG contains an invalid value in the algorithm field, BIND immediately aborts with an assertion failure. This issue affects BIND 9 versions 9.20.0 through 9.20.8 and 9.21.0 through 9.21.7.

Do I need to act?

-
0.18% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

References (3)

https://kb.isc.org/docs/cve-2025-40775
http://www.openwall.com/lists/oss-security/2025/05/21/1
https://security.netapp.com/advisory/ntap-20250523-0001/
32
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal