On 21 January 2026, the Internet Systems Consortium (ISC) disclosed CVE-2025-13878, a denial-of-service (DoS) vulnerability in BIND 9, the most widely deployed DNS server on the internet. The flaw carries a CVSS score of 7.5 (high) and lets a remote attacker, with no authentication and no user interaction, crash the named daemon.
What the vulnerability is
The problem lies in how BIND handles two relatively new DNS record types: HHIT (type 67) and BRID (type 68). When named processes a record of these types whose RDATA field is malformed —specifically, when it contains fewer than three octets— an assertion is triggered inside the dns_rdata_towire() function. That assertion aborts the process abruptly, leaving the DNS service unavailable.
Because the failure is triggered simply by serialising (towire) a corrupt record, all it takes is for the server to process crafted data for it to terminate unexpectedly. No credentials or special configuration are required beyond having the affected functionality active.
Who is affected
The vulnerability affects both authoritative servers and recursive resolvers, which considerably widens the exposure surface. Any BIND 9 deployment that can receive or serve malformed HHIT/BRID records is vulnerable.
According to the ISC advisory, the affected versions are:
- BIND 9.18.40 to 9.18.43
- BIND 9.20.13 to 9.20.17
- BIND 9.21.12 to 9.21.16
(plus the equivalent Supported Preview Edition variants with the -S1 suffix).
Severity and impact
The impact is denial of service: repeated crashes of named can take DNS resolution offline for entire networks, with the cascading effect that entails (email, web browsing, internal services). Because it is remotely exploitable without authentication, and since no workarounds are known, ISC recommends prioritising the update. No active exploitation was reported at the time of publication.
Mitigation and patch
ISC released fixed versions. The only effective mitigation is to upgrade to one of these:
- BIND 9.18.44
- BIND 9.20.18
- BIND 9.21.17
(or their -S1 variants for the Preview Edition). No workarounds are known, so applying the patch is the recommended path.
Linux distributions have shipped the fix in their repositories. In the case of Debian, the security team published advisory DSA-6107-1 on 22 January 2026 with the updated BIND packages; running apt update && apt upgrade and restarting the named (or bind9) service is enough to apply the fix. Other distributions (Ubuntu, Red Hat, SUSE) released equivalent updates.
If you run exposed DNS servers, it is also worth reviewing your overall security posture; pairing patching with solid mandatory access control via SELinux and AppArmor helps limit the blast radius of any similar flaw in the future.
Source
- ISC Knowledge Base — CVE-2025-13878: https://kb.isc.org/docs/cve-2025-13878
- NVD — CVE-2025-13878: https://nvd.nist.gov/vuln/detail/CVE-2025-13878