CVE-2025-40777 is a reachable assertion vulnerability (CWE-617) found in ISC BIND 9, a widely used DNS server software. The issue specifically affects versions 9.20.0 through 9.20.10, 9.21.0 through 9.21.9, and service pack versions 9.20.9-S1 through 9.20.10-S1. The vulnerability manifests when the named daemon is configured with the serve-stale-enable option set to yes and stale-answer-client-timeout set to 0, which is the only allowed value besides disabled. Under these conditions, if the resolver encounters a CNAME chain involving a particular combination of cached or authoritative DNS records during query resolution, the daemon triggers an assertion failure and aborts. This results in a denial-of-service (DoS) condition as the DNS service becomes unavailable. The vulnerability requires no authentication or user interaction and can be triggered remotely by sending crafted DNS queries that exploit the specific CNAME chain scenario. While the vulnerability does not compromise confidentiality or integrity of DNS data, it severely impacts availability, potentially disrupting DNS resolution services. No public exploits have been reported yet, but the CVSS score of 7.5 (high severity) reflects the significant risk posed by this flaw. The ISC has not yet published patches at the time of this report, but mitigation can involve disabling serve-stale or adjusting the stale-answer-client-timeout setting to avoid the vulnerable configuration. This vulnerability is critical for organizations relying on BIND 9 for DNS caching and resolution, especially those using the serve-stale feature for improved DNS resilience.

The primary impact of CVE-2025-40777 is a denial-of-service condition affecting DNS availability. For European organizations, this can lead to significant operational disruptions as DNS is foundational for network communications, service accessibility, and security controls. Organizations using affected BIND versions with the vulnerable configuration risk unexpected DNS server crashes, resulting in downtime or degraded network performance. This can affect internal services, customer-facing applications, and critical infrastructure reliant on DNS. In sectors such as finance, telecommunications, government, and critical infrastructure, DNS outages can cause cascading failures and loss of trust. Additionally, attackers could exploit this vulnerability to launch targeted DoS attacks against specific organizations or DNS infrastructure providers. The lack of confidentiality or integrity impact reduces the risk of data breaches but does not diminish the operational risk posed by service unavailability. European entities with large-scale DNS deployments or those providing DNS services to customers are particularly vulnerable to reputational and financial damage from such outages.

To mitigate CVE-2025-40777, European organizations should first verify if their BIND 9 installations fall within the affected version ranges and if the serve-stale-enable option is set to yes with stale-answer-client-timeout configured to 0. Immediate mitigation steps include: 1) Temporarily disabling the serve-stale feature by setting serve-stale-enable to no, which removes the vulnerable code path. 2) Alternatively, adjusting stale-answer-client-timeout to a non-zero value or disabling it entirely to avoid triggering the assertion failure. 3) Monitoring DNS server logs for assertion failures or crashes indicative of exploitation attempts. 4) Planning and applying vendor patches or updates as soon as they become available from ISC. 5) Implementing DNS redundancy and failover mechanisms to minimize service disruption in case of a crash. 6) Restricting access to DNS resolvers to trusted clients or networks to reduce exposure to malicious queries. 7) Employing network-level protections such as rate limiting and anomaly detection to identify and block suspicious DNS traffic patterns. These targeted mitigations go beyond generic advice by focusing on configuration changes and operational controls specific to the vulnerability's trigger conditions.