A high-severity vulnerability in BIND 9—one of the most widely deployed DNS server implementations—can cause the named daemon to terminate unexpectedly when processing specially crafted, malformed BRID/HHIT records. The outcome is a remote denial of service (DoS) that can disrupt name resolution for public services and internal enterprise infrastructure.
Internet Systems Consortium (ISC) issued an early notification on January 14, 2026, followed by public disclosure on January 21, 2026, and recommends upgrading to patched releases. ISC also states it is not aware of active exploitation at the time of publication and that no workarounds are known, making patching the only practical mitigation.
What’s happening, in plain terms
DNS is foundational: when it fails, the blast radius is rarely limited to “just DNS.” In affected BIND 9 versions, certain malformed BRID/HHIT data can trigger a crash in named. If attackers can repeatedly induce that condition, they can keep a DNS service unstable or offline—impacting:
- Authoritative DNS (domains, zones, public-facing services)
- Recursive resolvers (enterprise resolution, forwarders, shared resolvers)
- Any upstream systems that rely on consistent name resolution (email, SSO, APIs, service discovery, monitoring, etc.)
Key details at a glance
- CVE: CVE-2025-13878
- Product: BIND 9 (
named) - Type: Denial of Service (DoS)
- Attack vector: Remote / network
- Privileges / user interaction: None required
- CVSS v3.1: 7.5 (High)
- Scope: Authoritative servers and resolvers are both affected
ISC credits Vlatko Kosturjak (Marlink Cyber) for responsible disclosure.
Affected and patched versions
ISC recommends upgrading to the patched release closest to your current branch.
| Branch | Vulnerable versions | Patched version |
|---|---|---|
| BIND 9 (Standard) | 9.18.40 – 9.18.43 | 9.18.44 |
| BIND 9 (Standard) | 9.20.13 – 9.20.17 | 9.20.18 |
| BIND 9 (Standard) | 9.21.12 – 9.21.16 | 9.21.17 |
| BIND SPE (Preview) | 9.18.40-S1 – 9.18.43-S1 | 9.18.44-S1 |
| BIND SPE (Preview) | 9.20.13-S1 – 9.20.17-S1 | 9.20.18-S1 |
Why this matters operationally
From an operations perspective, a DNS crash is often more damaging than a single application outage because DNS is a dependency for many systems at once. Even short interruptions can cascade into:
- Failed logins (SSO/LDAP/AD-integrated services)
- Broken internal routing (service discovery, microservices, API gateways)
- Monitoring blind spots (agents can’t resolve endpoints)
- Increased incident noise (multiple systems alerting at once)
Because the issue is remotely triggerable and affects both authoritative and recursive deployments, security teams should treat this as a priority patch for any BIND exposed to untrusted networks.
Recommended actions for sysadmins and security teams
1) Identify where BIND 9 is running
- Inventory authoritative nameservers, recursive resolvers, forwarders, and embedded deployments.
- Confirm versions (for example,
named -vor via your package manager).
2) Patch promptly (no workaround)
ISC indicates no known workarounds, so upgrading to the patched versions above is the remediation path.
3) Validate and monitor
- Confirm successful restart and stability post-upgrade.
- Add/verify alerting for:
namedprocess crashes or restarts- sudden drops in query throughput
- spikes in SERVFAIL/timeouts
FAQ
How do I know if I’m vulnerable to CVE-2025-13878?
If your BIND 9 version falls within the vulnerable ranges listed above (for example, 9.18.40–9.18.43, 9.20.13–9.20.17, or 9.21.12–9.21.16), you should upgrade to the patched version in the same branch.
Does this affect authoritative DNS only, or resolvers too?
ISC states that both authoritative servers and resolvers are affected.
Is there a mitigation other than patching?
ISC lists no known workarounds, so patching is the only viable mitigation.
Is this being exploited in the wild?
ISC notes it is not aware of active exploitation at the time of the advisory’s publication, but the safest approach is to patch during this window before exploitation becomes more likely.