CVE-2025-8677: 
Linux Debian vulnerability analysis and mitigation

CVE-2025-8677 is a vulnerability in BIND 9 that was disclosed on October 22, 2025. The vulnerability affects BIND 9 versions 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1. The issue involves the handling of malformed DNSKEY records within specially crafted zones (NVD).

The vulnerability is characterized by improper handling of malformed DNSKEY records, which can lead to CPU exhaustion when processing specially crafted zone data. The issue has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified under CWE-405 (Asymmetric Resource Consumption) (NVD).

When exploited, this vulnerability can result in a denial of service condition through CPU exhaustion. The attack can be initiated remotely, requires no privileges or user interaction, and affects the availability of the service while not impacting confidentiality or integrity (Ubuntu Security).

Multiple vendors have released patches to address this vulnerability. Ubuntu has released fixes in versions 1:9.20.11-1ubuntu2.1 for 25.10, 1:9.20.11-0ubuntu0.2 for 25.04, 1:9.18.39-0ubuntu0.24.04.2 for 24.04 LTS, and 1:9.18.39-0ubuntu0.22.04.2 for 22.04 LTS. Debian has also addressed the issue with version 1:9.20.15-1 in their unstable release (Ubuntu Security, Debian Security).