CVE-2025-40780

Description

In specific circumstances, due to a weakness in the Pseudo Random Number Generator (PRNG) that is used, it is possible for an attacker to predict the source port and query ID that BIND will use. This issue affects BIND 9 versions 9.16.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.16.8-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.

How to fix CVE-2025-40780

To remediate CVE-2025-40780, upgrade the affected package to a fixed version below.

—upgrade to 9.18.41-r0 or later
—upgrade to 1:9.16.50-1~deb11u4 or later

Is CVE-2025-40780 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 9.18.41-r0
from 0, < 1:9.16.50-1~deb11u4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

References (2)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2025-40780
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2025-40780