ISC BIND vulnerability discovered and disclosed by Marlink Cyber

A vulnerability has been identified in ISC BIND, a widely used Domain Name System (DNS) service that provides name resolution for both Internet and local network environments.

Summary of the vulnerability

Software: ISC BIND

Software URL: https://www.isc.org/bind/

Vulnerability ID: MCSAID-2025-015

CVE ID: CVE-2025-13878

CVSS: 7.5 (HIGH)

Vulnerability type: Denial of Service (DoS), Service crash

Current state: Fix/Patch released by vendor.

Exploitation: Easy, not seen in the wild

Versions affected:

• 9.18.43 and earlier (9.18.40 - 9.18.43, 9.18.40-S1 - 9.18.43-S1)
• 9.20.17 and earlier (9.20.13 - 9.20.17, 9.20.13-S1 - 9.20.17-S1)
• 9.21.16 and earlier (9.21.12 - 9.21.16)

Fixed in:

• 9.18.44 (also fixed in 9.18.44-S1)
• 9.20.18 (also fixed in 9.20.18-S1)
• 9.21.17

Impact

The identified flaw allows a remote attacker to cause a denial-of-service (DoS) condition by crashing the BIND service. This disruption can have significant operational impact, as DNS resolution is a critical dependency for most Internet and enterprise services.

Exploitation

Exploitation is easy as attacker needs to cause the server to process crafted DNS message.

Current analysis indicates that arbitrary code execution is not feasible. The vulnerability’s impact is limited to service interruption resulting from the crash.

Status

Current state of vulnerability:

• Vulnerability has been publicly disclosed.
• Fix/patch released by vendor.

Indicators

Indicators of this vulnerability may include following:

On host:

• Crashing of BIND/DNS service
• Assert failures of BIND

Example messages:

rdata/generic/brid_68.c:87: REQUIRE(rdata->length >= 3) failed

rdata/generic/hhit_67.c:87: REQUIRE(rdata->length >= 3) failed

On network:

• DNS resource record types - HHIT (type 67) and BRID (type 68) with RDATA length is less than three octets

Recommendations

If you are running affected versions of ISC BIND, it is recommended to upgrade to fixed versions:

• 9.18.44
• 9.18.44-S1
• 9.20.18
• 9.20.18-S1
• 9.21.17

Details of the vulnerability

Two malformed DNS resource record types - HHIT (type 67) and BRID (type 68) – trigger an assertion in BIND's `  dns_rdata_towire()`   implementation when the RDATA lenght is less than three octets. The assertion aborts the `  named`   daemon, causing an immediate denial‑of‑service (DoS) condition. HHIT and BRID are part of IETF DRIP Entity Tags implementation in ISC BIND.

The flaw is exploitable remotely in both forwarding and recursive modes; the attacker only needs to cause the server to process a crafted DNS message containing an undersized HHIT or BRID RR.

Timeline

2025-11-01 - Vulnerability reported to ISC official security contact

2025-11-01 – Report confirmed to be received by ISC with additional questions

2025-11-04 – Vulnerability acknowledged by ISC

2025-12-02 – CVE record reserved: CVE-2025-13878

2026-01-21 – Public disclosure of vulnerability and official fix available

Predicted questions and answers

• I’m not using DRIP Entity Tags, is my ISC BIND installation still vulnerable?

Yes, ISC BIND installation is vulnerable even if you are not using that feature but running vulnerable version of ISC BIND (or any software/solution/appliance that is based).

• Any other DNS software service vulnerable?

Only if it is based on ISC BIND codebase and versions which are affected. Other DNS software like Unbound, PowerDNS, dnsmasq are not vulnerable to this specific vulnerability since they have not implemented that functionality.

• Any other DNS solution vulnerable?

If you have appliance or other solution which is based on ISC BIND versions affected, you could have vulnerable installations. Check with your vendor mentioning CVE-2025-13878 as a reference.

References

ISC Bind – CVE entry - CVE-2025-13878

IETF DRIP Entity Tags in the Domain Name System, 19 August 2025:

BIND 9 Software Vulnerability Matrix

Marlink Cyber Security Advisory - MCSAID-2025-015 – ISC BIND

ISC BIND implementation of BRID / HHIT records issue

ISC Bind

CVE-2025-13878