Predictable from Observable State

CVE-2025-40780

High

8.6/10

Summary

In specific circumstances, due to a weakness in the Pseudo Random Number Generator (PRNG) that is used, it is possible for an attacker to predict the source port and query ID that BIND will use. This issue affects BIND 9 versions 9.16.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, and supported preview editions 9.16.8-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: CHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: NONE

CWE-341 - Predictable from Observable State

A number or object is predictable based on observations that the attacker can make about the state of the system or network, such as time, process ID, etc.

References

Advisory
Advisory
Mail Thread

Advisory Timeline

Published Oct 22, 2025

Predictable from Observable State

CVE-2025-40780

Summary

CWE-341 - Predictable from Observable State

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS