Cache poisoning vulnerabilities found in 2 DNS resolving apps

The makers of BIND, the Internet’s most widely used software for resolving domain names, are warning of two vulnerabilities that allow attackers to poison entire caches of results and send users to malicious destinations that are indistinguishable from the real ones.

The vulnerabilities, tracked as CVE-2025-40778 and CVE-2025-40780, stem from a logic error and a weakness in generating pseudo-random numbers, respectively. They each carry a severity rating of 8.6. Separately, makers of the Domain Name System resolver software Unbound warned of similar vulnerabilities that were reported by the same researchers. The unbound vulnerability severity score is 5.6

Revisiting Kaminsky’s cache poisoning attack

The vulnerabilities can be exploited to cause DNS resolvers located inside thousands of organizations to replace valid results for domain lookups with corrupted ones. The corrupted results would replace the IP addresses controlled by the domain name operator (for instance, 3.15.119.63 for arstechnica.com) with malicious ones controlled by the attacker. Patches for all three vulnerabilities became available on Wednesday.

In 2008, researcher Dan Kaminsky revealed one of the more severe Internet-wide security threats ever. Known as DNS cache poisoning, it made it possible for attackers to send users en masse to imposter sites instead of the real ones belonging to Google, Bank of America, or anyone else. With industry-wide coordination, thousands of DNS providers around the world—in coordination with makers of browsers and other client applications—implemented a fix that averted this doomsday scenario.

The vulnerability was the result of DNS’s use of UDP packets. Because they’re sent in only one direction, there was no way for DNS resolvers to use passwords or other forms of credentials when communicating with “authoritative servers,” meaning those that have been officially designated to provide IP lookups for a given top-level domain such as .com. What’s more, UDP traffic is generally trivial to spoof, meaning it’s easy to send UDP packets that appear to come from a source other than their true origin.