CVE-2025-40778: 
Linux Debian vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-40778) was discovered in BIND's DNS resolver logic that makes it overly permissive when accepting resource records (RRs) in responses. The vulnerability was discovered by researchers Yuxiao Wu, Yunyi Zhang, Baojun Liu, and Haixin Duan, and was publicly disclosed on October 22, 2025. The issue affects BIND 9 versions prior to 9.18.41, 9.20.15, and 9.21.14 (Ubuntu Security, GBHackers).

The vulnerability allows attackers to perform cache poisoning attacks by exploiting BIND's incorrect handling of certain records from answers. The issue has received a CVSS score of 8.6, indicating high severity. The vulnerability specifically affects DNS resolvers and could impact millions of users worldwide who rely on BIND for DNS resolution (GBHackers).

When successfully exploited, this vulnerability enables attackers to inject forged DNS records into a resolver's cache. This can lead to cache poisoning attacks, potentially redirecting users to malicious websites and allowing attackers to intercept communications. The impact is particularly concerning for enterprise networks, internet service providers, and anyone relying on accurate domain name resolution (GBHackers).

Organizations should immediately upgrade to the patched BIND 9 versions: 9.18.41, 9.20.15, or 9.21.14. For Preview Edition users, the upgrade should be to versions 9.18.41-S1 or 9.20.15-S1. Ubuntu users should update to the following versions: 1:9.20.11-1ubuntu2.1 (25.10), 1:9.20.11-0ubuntu0.2 (25.04), 1:9.18.39-0ubuntu0.24.04.2 (24.04 LTS), or 1:9.18.39-0ubuntu0.22.04.2 (22.04 LTS). No alternative workarounds are currently available (Ubuntu Security, GBHackers).