“In specific circumstances, due to a weakness in the Pseudo Random Number Generator (PRNG) being used, it is possible for an attacker to predict the source port and query ID that BIND will use,” BIND developers wrote in Wednesday's disclosure. “BIND can be tricked into caching attackers' responses if the spoofing is successful.”
CVE-2025-40778 also raises the possibility of reviving cache poisoning attacks.
“Under certain circumstances, BIND is too lenient in accepting records of responses, allowing an attacker to inject spoofed data into the cache,” the developers explain. “Spooked records can be injected into the cache during a query, potentially affecting the resolution of future queries.”
Even in such cases, the resulting consequences would be considerably more limited than the scenario Kaminsky envisioned. One reason for this is that authoritative servers themselves are not vulnerable. Furthermore, as noted here and here by Red Hat, several other cache poisoning countermeasures remain intact. They include DNSSEC, a protection that requires DNS records to be digitally signed. Additional measures come in the form of rate limiting and server firewall, which are considered best practices.
“Because exploitation is non-trivial, requires network-level spoofing and precise timing, and only affects cache integrity without server compromise, the vulnerability is considered major rather than critical,” Red Hat wrote in the CVE-2025-40780 disclosure.
Nevertheless, the vulnerabilities can cause damage in some organizations. Patches for all three should be installed as soon as possible.
