Bug 2367442 (CVE-2025-40775)

Summary:	CVE-2025-40775 bind: DNS message with invalid TSIG causes an assertion failure
Product:	[Other] Security Response	Reporter:	OSIDB Bzimport <bzimport>
Component:	vulnerability	Assignee:	Product Security DevOps Team <prodsec-dev>
Status:	NEW ---	QA Contact:
Severity:	high	Docs Contact:
Priority:	high
Version:	unspecified	CC:	eddie.rowe, security-response-team
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	---
Doc Text:	An assertion failure vulnerability was found in the BIND package. When an incoming DNS protocol message includes a Transaction Signature (TSIG), BIND always checks it. If the TSIG contains an invalid value in the algorithm field, BIND immediately aborts with an assertion failure. By sending specific messages to the server, an attacker can cause named to terminate unexpectedly, causing a denial of service.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Deadline:	2025-05-21

Description OSIDB Bzimport 2025-05-20 10:18:41 UTC

When an incoming DNS protocol message includes a Transaction Signature (TSIG), BIND always checks it. If the TSIG contains an invalid value in the algorithm field, BIND immediately aborts with an assertion failure. By sending specific messages to the server, an attacker can cause named to terminate unexpectedly.

- Authoritative servers are affected by this vulnerability.
- Resolvers are affected by this vulnerability.

Versions affected:
- 9.20.0 -> 9.20.8
- 9.21.0 -> 9.21.7

Fixed in:
- 9.20.9
- 9.21.8