ISC disclosed a high-severity denial-of-service vulnerability in BIND 9 tracked as CVE-2025-13878, where remote attackers can crash the named daemon by sending specially crafted DNS traffic that triggers improper handling of malformed BRID and HHIT record data structures. The issue is remotely exploitable (no authentication or user interaction required) and is scored CVSS 3.1: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), making publicly exposed DNS infrastructure a primary risk.
The flaw affects both authoritative name servers and DNS resolvers, enabling an attacker to force a service outage by causing named to terminate unexpectedly. Reported affected versions include BIND 9.18.40–9.18.43, 9.20.13–9.20.17, and 9.21.12–9.21.16, with fixes available in 9.18.44, 9.20.18, and 9.21.17 (and corresponding SPE preview builds). The vulnerability was reported by Vlatko Kosturjak (Marlink Cyber), and ISC issued early notification ahead of public disclosure, urging administrators to verify deployed versions and apply patched releases to prevent remote crash/DoS conditions.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
ISC advised administrators to upgrade to fixed releases 9.18.44, 9.20.18, or 9.21.17 to remediate CVE-2025-13878. The advisory said no workarounds were available and that no active exploitation had been observed at disclosure time.
ISC publicly disclosed CVE-2025-13878, a high-severity remotely exploitable denial-of-service vulnerability in BIND 9 caused by malformed BRID and HHIT DNS record handling. The flaw can let an unauthenticated attacker crash the named process on both authoritative servers and resolvers.
ISC provided an early notification about the BIND 9 denial-of-service flaw later tracked as CVE-2025-13878. The notice preceded the public advisory by one week.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.