2405830 – (CVE-2025-8677) CVE-2025-8677 bind: Resource exhaustion via malformed DNSKEY handling

Bug 2405830 (CVE-2025-8677) - CVE-2025-8677 bind: Resource exhaustion via malformed DNSKEY handling

Summary: CVE-2025-8677 bind: Resource exhaustion via malformed DNSKEY handling

Keywords:
Status:	NEW
Alias:	CVE-2025-8677
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2405831 2405832 2405833 2405834
Blocks:
TreeView+	depends on / blocked

Reported:	2025-10-22 15:24 UTC by OSIDB Bzimport
Modified:	2025-11-04 19:04 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Internet Systems Consortium (ISC)	isc-projects bind9 issues 5622	0	None	opened	Validation of domains signed by unsupported and supported algorithm started failing	2025-11-04 19:04:47 UTC

Description OSIDB Bzimport 2025-10-22 15:24:50 UTC

Querying for records within a specially crafted zone containing certain malformed DNSKEY records can lead to CPU exhaustion.

Comment 2 Petr Menšík 2025-11-04 19:04:48 UTC

There were reported regressions shortly after release of 9.18.41 and 9.20.15 version.

Our builds should have them fixed. It failed on RHEL9 or RHEL10, where SHA-1 based signatures are considered insecure. When the domain is signed with both unsupported algorithm (such as 5 or 7) and supported algorithm at the same time, it resulted in SERVFAIL after CVE fixes applied.

https://gitlab.isc.org/isc-projects/bind9/-/issues/5622
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11202

Note You need to log in before you can comment on or make changes to this bug.