CVE-2025-40775: 
Linux Debian vulnerability analysis and mitigation

CVE-2025-40775 is a high-severity vulnerability affecting BIND 9, discovered and disclosed by Internet Systems Consortium (ISC) on May 21, 2025. The vulnerability affects BIND 9 versions 9.20.0 through 9.20.8 and 9.21.0 through 9.21.7. When an incoming DNS protocol message includes a Transaction Signature (TSIG) with an invalid value in the algorithm field, BIND immediately aborts with an assertion failure (ISC KB, NVD).

The vulnerability is classified with a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The issue is related to improper handling of undefined values (CWE-232) and affects both authoritative servers and resolvers. The vulnerability is triggered when processing DNS protocol messages containing Transaction Signatures (TSIG) with invalid algorithm field values (ISC KB).

The primary impact of this vulnerability is a denial-of-service condition. An attacker can cause the named service to terminate unexpectedly by sending specific messages to the server. This affects both authoritative servers and resolvers running vulnerable versions of BIND 9 (ISC KB).

No workarounds are known for this vulnerability. ISC recommends upgrading to the patched releases: BIND 9.20.9 or 9.21.8. Patches are available in the patches subdirectory of each published release directory for operators and package maintainers who prefer to apply patches selectively (Openwall, ISC KB).