“In specific circumstances, as a consequence of a weakness within the Pseudo Random Number Generator (PRNG) that’s used, it is feasible for an attacker to predict the source port and query ID that BIND will use,” BIND developers wrote in Wednesday’s disclosure. “BIND may be tricked into caching attacker responses, if the spoofing is successful.”
CVE-2025-40778 also raises the potential for reviving cache poisoning attacks.
“Under certain circumstances, BIND is just too lenient when accepting records from answers, allowing an attacker to inject forged data into the cache,” the developers explained. “Forged records may be injected into cache during a question, which may potentially affect resolution of future queries.”
Even in such cases, the resulting fallout can be significantly more limited than the scenario envisioned by Kaminsky. One reason for that’s that authoritative servers themselves aren’t vulnerable. Further, as noted here and here by Red Hat, various other cache poisoning countermeasures remain intact. They include DNSSEC, a protection that requires DNS records to be digitally signed. Additional measures are available the shape of rate limiting and server firewalling, that are considered best practices.
“Because exploitation is non-trivial, requires network-level spoofing and precise timing, and only affects cache integrity without server compromise, the vulnerability is taken into account Necessary somewhat than Critical,” Red Hat wrote in its disclosure of CVE-2025-40780.
The vulnerabilities nonetheless have the potential to cause harm in some organizations. Patches for all three needs to be installed as soon as practicable.