CVE-2025-40775: 
CBL Mariner vulnerability analysis and mitigation

CVE-2025-40775 is a high-severity vulnerability discovered in BIND 9 in May 2025. When an incoming DNS protocol message includes a Transaction Signature (TSIG), BIND always checks it. If the TSIG contains an invalid value in the algorithm field, BIND immediately aborts with an assertion failure. This vulnerability affects BIND 9 versions 9.20.0 through 9.20.8 and 9.21.0 through 9.21.7 (ISC KB).

The vulnerability is related to the handling of Transaction Signatures (TSIG) in DNS protocol messages. When BIND processes an incoming DNS message containing a TSIG, it performs validation checks. If the TSIG's algorithm field contains an invalid value, it triggers an assertion failure causing BIND to terminate unexpectedly. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating it can be exploited remotely with no privileges required (ISC KB).

The primary impact of this vulnerability is denial-of-service (DoS). An attacker can cause the named service to terminate unexpectedly by sending specific messages to the server. Both authoritative servers and resolvers are affected by this vulnerability (ISC KB).

No workarounds are known for this vulnerability. The recommended solution is to upgrade to the patched releases: BIND 9.20.9 or 9.21.8. Patches are available in the patches subdirectory of each published release directory (ISC KB, OSS Security).