{ "threat_severity" : "Important", "public_date" : "2025-10-22T00:00:00Z", "bugzilla" : { "description" : "bind: Cache poisoning due to weak PRNG", "id" : "2405829", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2405829" }, "cvss3" : { "cvss3_base_score" : "8.6", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", "status" : "verified" }, "cwe" : "CWE-338", "details" : [ "In specific circumstances, due to a weakness in the Pseudo Random Number Generator (PRNG) that is used, it is possible for an attacker to predict the source port and query ID that BIND will use.\nThis issue affects BIND 9 versions 9.16.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.16.8-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.", "A vulnerability was found in BIND resolvers caused by a weakness in the Pseudo Random Number Generator (PRNG). This weakness allows an attacker to potentially predict the source port and query ID used by BIND, enabling cache poisoning attacks. If successful, the attacker can inject malicious DNS responses into the resolver’s cache, causing clients to receive spoofed DNS data. Authoritative servers are generally unaffected, but recursive resolvers are exposed to this risk. Exploitation is remote and does not require user interaction." ], "statement" : "This vulnerability in BIND 9 resolvers caused by a weakness in the Pseudo Random Number Generator (PRNG) used to select the UDP source port and DNS query (transaction) ID. Exploitation requires an attacker to correctly predict both values and race the legitimate authoritative response with a spoofed packet to perform cache poisoning. While the PRNG weakness reduces entropy and makes prediction feasible under certain conditions, this still requires precise timing, on-path or spoofing capabilities, and targeting of recursive resolvers.\nThe impact is limited to resolver cache integrity; it does not allow remote code execution, privilege escalation, or direct compromise of the BIND server itself. Authoritative servers are not affected. Additionally, operational mitigations such as DNSSEC validation, access control restricting recursion, and network-level packet filtering reduce real-world exploitability. No active exploits have been observed in the wild.\nBecause exploitation is non-trivial, requires network-level spoofing and precise timing, and only affects cache integrity without server compromise, the vulnerability is considered Important rather than Critical.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2025-11-06T00:00:00Z", "advisory" : "RHSA-2025:19912", "cpe" : "cpe:/o:redhat:enterprise_linux:10.0", "package" : "bind-32:9.18.33-4.el10_0.2" }, { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2025-11-11T00:00:00Z", "advisory" : "RHSA-2025:21034", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "bind-32:9.18.33-10.el10_1.2" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-11-05T00:00:00Z", "advisory" : "RHSA-2025:19793", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "bind9.16-32:9.16.23-0.22.el8_10.4" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2025-11-26T00:00:00Z", "advisory" : "RHSA-2025:22168", "cpe" : "cpe:/a:redhat:rhel_aus:8.6", "package" : "bind9.16-32:9.16.23-0.7.el8_6.9" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2025-11-26T00:00:00Z", "advisory" : "RHSA-2025:22168", "cpe" : "cpe:/a:redhat:rhel_tus:8.6", "package" : "bind9.16-32:9.16.23-0.7.el8_6.9" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2025-11-26T00:00:00Z", "advisory" : "RHSA-2025:22168", "cpe" : "cpe:/a:redhat:rhel_e4s:8.6", "package" : "bind9.16-32:9.16.23-0.7.el8_6.9" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "release_date" : "2025-11-24T00:00:00Z", "advisory" : "RHSA-2025:21939", "cpe" : "cpe:/a:redhat:rhel_tus:8.8", "package" : "bind9.16-32:9.16.23-0.14.el8_8.7" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date" : "2025-11-24T00:00:00Z", "advisory" : "RHSA-2025:21939", "cpe" : "cpe:/a:redhat:rhel_e4s:8.8", "package" : "bind9.16-32:9.16.23-0.14.el8_8.7" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-11-10T00:00:00Z", "advisory" : "RHSA-2025:19950", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "bind9.18-32:9.18.29-4.el9_6.2" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-11-10T00:00:00Z", "advisory" : "RHSA-2025:19951", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "bind-32:9.16.23-31.el9_6.2" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-11-12T00:00:00Z", "advisory" : "RHSA-2025:21110", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "bind-32:9.16.23-34.el9_7.1" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-11-12T00:00:00Z", "advisory" : "RHSA-2025:21111", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "bind9.18-32:9.18.29-5.el9_7.2" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2025-11-20T00:00:00Z", "advisory" : "RHSA-2025:21889", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0", "package" : "bind-32:9.16.23-1.el9_0.11" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2025-11-20T00:00:00Z", "advisory" : "RHSA-2025:21887", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "bind-32:9.16.23-11.el9_2.9" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2025-11-20T00:00:00Z", "advisory" : "RHSA-2025:21817", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "bind-32:9.16.23-18.el9_4.10" }, { "product_name" : "Red Hat OpenShift Container Platform 4.12", "release_date" : "2026-01-15T00:00:00Z", "advisory" : "RHSA-2026:0316", "cpe" : "cpe:/a:redhat:openshift:4.12::el8", "package" : "rhcos-412.86.202601061735-0" }, { "product_name" : "Red Hat OpenShift Container Platform 4.13", "release_date" : "2026-01-22T00:00:00Z", "advisory" : "RHSA-2026:0677", "cpe" : "cpe:/a:redhat:openshift:4.13::el9", "package" : "rhcos-413.92.202601130113-0" }, { "product_name" : "Red Hat OpenShift Container Platform 4.14", "release_date" : "2026-01-30T00:00:00Z", "advisory" : "RHSA-2026:0996", "cpe" : "cpe:/a:redhat:openshift:4.14::el9", "package" : "rhcos-414.92.202601191325-0" }, { "product_name" : "Red Hat OpenShift Container Platform 4.15", "release_date" : "2026-02-05T00:00:00Z", "advisory" : "RHSA-2026:1541", "cpe" : "cpe:/a:redhat:openshift:4.15::el9", "package" : "rhcos-415.92.202601271320-0" }, { "product_name" : "Red Hat OpenShift Container Platform 4.16", "release_date" : "2026-01-15T00:00:00Z", "advisory" : "RHSA-2026:0326", "cpe" : "cpe:/a:redhat:openshift:4.16::el9", "package" : "rhcos-416.94.202601071926-0" }, { "product_name" : "Red Hat OpenShift Container Platform 4.17", "release_date" : "2026-01-22T00:00:00Z", "advisory" : "RHSA-2026:0702", "cpe" : "cpe:/a:redhat:openshift:4.17::el9", "package" : "rhcos-417.94.202601120213-0" }, { "product_name" : "Red Hat OpenShift Container Platform 4.18", "release_date" : "2026-01-15T00:00:00Z", "advisory" : "RHSA-2026:0332", "cpe" : "cpe:/a:redhat:openshift:4.18::el9", "package" : "rhcos-418.94.202601071817-0" }, { "product_name" : "Red Hat OpenShift Container Platform 4.19", "release_date" : "2026-01-22T00:00:00Z", "advisory" : "RHSA-2026:0674", "cpe" : "cpe:/a:redhat:openshift:4.19::el9", "package" : "rhcos-4.19.9.6.202601130152-0" }, { "product_name" : "Red Hat OpenShift Container Platform 4.20", "release_date" : "2026-01-14T00:00:00Z", "advisory" : "RHSA-2026:0420", "cpe" : "cpe:/a:redhat:openshift:4.20::el9", "package" : "rhcos-4.20.9.6.202601052146-0" }, { "product_name" : "Red Hat Discovery 2", "release_date" : "2025-11-24T00:00:00Z", "advisory" : "RHSA-2025:21994", "cpe" : "cpe:/a:redhat:discovery:2::el9", "package" : "discovery/discovery-ui-rhel9:sha256:310df392f638ef6eca1a26db024ae2cb617db5932f886d2acddc92fb7289e740" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "bind", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "bind", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "bind", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "dhcp", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-40780\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-40780" ], "name" : "CVE-2025-40780", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.\nTo reduce risk, restrict recursive queries to trusted or internal networks only, and apply rate limiting or firewall rules to prevent excessive or repetitive requests. Enabling DNSSEC validation helps reject forged records, while isolating recursive resolvers from authoritative servers limits the impact of potential cache poisoning. Active monitoring of CPU usage, query volume, and cache anomalies can provide early warning of abuse or attacks.", "lang" : "en:us" }, "csaw" : false }