A critical vulnerability in BIND 9 exposes DNS servers to remote denial-of-service (DoS) attacks.
Security firm ISC disclosed CVE-2025-13878 on January 21, 2026, warning that malformed BRID or HHIT records in DNS queries can trigger an unexpected termination of the named process.
Attackers need no authentication to exploit this, making it a high-risk issue for authoritative and recursive resolvers alike.
ISC patched the flaw in recent releases, urging administrators to update immediately.
The vulnerability affects specific versions across BIND 9’s stable branches, highlighting ongoing risks in widely used DNS software that powers much of the internet’s name resolution.
Technical Details and Affected Versions
BIND 9, the open-source DNS server from ISC, processes DNS resource records to resolve domain names.
BRID (Border Router ID) and HHIT (Host Identity with Hash) records belong to experimental extensions like Host Identity Protocol (HIP), rarely used in production but still parsed by BIND.
The flaw occurs when named encounters malformed BRID or HHIT records in a query response.
These corrupt records cause memory corruption or assertion failures, leading to a crash.
Since the issue strikes during query processing, remote attackers can send crafted DNS packets over UDP or TCP to any vulnerable server, forcing restarts and disrupting service.
CVSS v3.1 scores it at 7.5 (High): vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. No confidentiality or integrity impact exists, but the availability hit is severe attackers can loop crashes to render servers unresponsive.
Affected versions include:
| Branch | Vulnerable Range | Patched Version |
|---|---|---|
| BIND 9.18 | 9.18.40 – 9.18.43 | 9.18.44 |
| BIND 9.20 | 9.20.13 – 9.20.17 | 9.20.18 |
| BIND 9.21 | 9.21.12 – 9.21.16 | 9.21.17 |
| Supported Preview | 9.18.40-S1 – 9.18.43-S1 9.20.13-S1 – 9.20.17-S1 |
9.18.44-S1 9.20.18-S1 |
Check your setup with named -V and upgrade via ISC downloads at isc.org/download. No workarounds exist; disabling HIP-related features won’t help since parsing happens universally.
ISC credits Vlatko Kosturjak from Marlink Cyber for discovery. No active exploits are known as of disclosure, but proof-of-concept code could emerge soon given the simplicity craft a query with bogus BRID/HHIT RDATA and fire it at port 53.
Indicators Of Compromise and Mitigation
Monitor logs for crash signatures to detect scans or attacks. Key IoCs include:
- Log Patterns: Entries like “assertion failure” or “malformed RDATA” in
named.runor syslog, followed by “named: prematured server shutdown.” - Network Traffic: Spikes in UDP/TCP queries to port 53 with anomalous OPT or unknown RR types (BRID=65534, HHIT=65535). Use Wireshark filters:
dns.qry.type == 65534 or dns.qry.type == 65535. - Process Indicators: Repeated named restarts in
ps auxor systemd journals:journalctl -u bind9 | grep 'exited'. - Exploit Attempts: High-volume queries from single IPs with invalid record lengths >512 bytes in RR sections.
| IoC Type | Description | Detection Tool |
|---|---|---|
| Log Regex | `.BRID. | .HHIT. |
| Packet Filter | dns contains "BRID" or "HHIT" |
tcpdump -i any port 53 |
| Rate Anomaly | >1000 qps from one source | fail2ban or Suricata rules |
Deploy rate limiting on DNS ports via iptables: iptables -A INPUT -p udp --dport 53 -m limit --limit 100/s -j ACCEPT.
Enable DNSSEC validation and Response Rate Limiting (RRL) in named.conf for broader protection.
ISC maintains a BIND 9 Vulnerability Matrix tracking issues. Report suspicions to [email protected].
With BIND powering 18% of global DNS servers per recent scans, swift patching prevents widespread outages. Update now to stay resilient.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.