CVE-2025-40777: 
Wolfi vulnerability analysis and mitigation

A vulnerability in BIND 9 (CVE-2025-40777) was discovered and disclosed on July 16, 2025. The issue affects BIND 9 versions 9.20.0 through 9.20.10, 9.21.0 through 9.21.9, and 9.20.9-S1 through 9.20.10-S1. The vulnerability occurs when a named caching resolver is configured with specific settings: 'serve-stale-enable yes' and 'stale-answer-client-timeout' set to 0 (ISC KB).

The vulnerability is classified as a reachable assertion failure (CWE-617) with a CVSS v3.1 base score of 7.5 (High). The issue manifests when the resolver encounters a CNAME chain involving a specific combination of cached or authoritative records, causing the daemon to abort with an assertion failure. The vulnerability requires network access but no privileges or user interaction (NVD, ISC KB).

If successfully exploited, the vulnerability can cause the named daemon to exit, resulting in a denial of service. While authoritative services are believed to be unaffected, resolvers are vulnerable to this issue. The high CVSS score reflects the potential impact on system availability (ISC KB).

Two workarounds are available: setting 'stale-answer-client-timeout off' or 'stale-answer-enable no' in the configuration file. For a permanent fix, users should upgrade to BIND 9.20.11, BIND 9.21.10, or BIND 9.20.11-S1 depending on their current version (ISC KB).