Malformed BRID/HHIT records can cause `named` to terminate unexpectedly. This issue affects BIND 9 versions 9.18.40 through 9.18.43, 9.20.13 through 9.20.17, 9.21.12 through 9.21.16, 9.18.40-S1 through 9.18.43-S1, and 9.20.13-S1 through 9.20.17-S1.

The version of ISC BIND installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the cve-2025-13878 advisory.

  - Malformed BRID/HHIT records can cause `named` to terminate unexpectedly. This issue affects BIND 9     versions 9.18.40 through 9.18.43, 9.20.13 through 9.20.17, 9.21.12 through 9.21.16, 9.18.40-S1 through     9.18.43-S1, and 9.20.13-S1 through 9.20.17-S1. (CVE-2025-13878)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 42 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2026-34c921d252 advisory.

    # Update to 9.18.44 (rhbz#2431609)

    ## Security Fixes:

    - Fix incorrect length checks for BRID and HHIT records. (CVE-2025-13878)

    ## Bug Fixes:

    - Allow glue in delegations with QTYPE=ANY.
    - Reconfiguring an NSEC3 opt-out zone to NSEC caused the zone to be invalid.

    https://downloads.isc.org/isc/bind9/9.18.44/doc/arm/html/notes.html#notes-for-bind-9-18-44

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 43 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-b31c8d8e83 advisory.

    # Update to 9.21.17 (rhbz#2415843)

    ## Security Fixes:

    - Fix incorrect length checks for BRID and HHIT records. (CVE-2025-13878)

    ## New Features:

    - Add support for Extended DNS Error 9 (Missing DNSKEY).
    - Add support for Extended DNS Error 13 (Cached Error).
    - Add support for Generalized DNS Notifications.

    # Features Changes:

    - Add more information to the rndc recursing output about fetches.
    - Enforce bounds of multiple configuration options.

    ## Bug Fixes:

    - Fix inbound IXFR performance regression.
    - Make DNSSEC key rollovers more robust.
    - Fix a catalog zone issue, where member zones could fail to load.
    - Fix slow speed when signing a large delegation zone with NSEC3 opt-out.
    - Reconfiguring an NSEC3 opt-out zone to NSEC caused the zone to be invalid.
    - Fix a possible catalog zone issue during reconfiguration.
    - Fix the charts in the statistics channel.

    https://downloads.isc.org/isc/bind9/9.21.17/doc/arm/html/notes.html#notes-for-bind-9-21-17


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 42 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-d8979b7a9c advisory.

    # Update to 9.21.17 (rhbz#2415843)

    ## Security Fixes:

    - Fix incorrect length checks for BRID and HHIT records. (CVE-2025-13878)

    ## New Features:

    - Add support for Extended DNS Error 9 (Missing DNSKEY).
    - Add support for Extended DNS Error 13 (Cached Error).
    - Add support for Generalized DNS Notifications.

    # Features Changes:

    - Add more information to the rndc recursing output about fetches.
    - Enforce bounds of multiple configuration options.

    ## Bug Fixes:

    - Fix inbound IXFR performance regression.
    - Make DNSSEC key rollovers more robust.
    - Fix a catalog zone issue, where member zones could fail to load.
    - Fix slow speed when signing a large delegation zone with NSEC3 opt-out.
    - Reconfiguring an NSEC3 opt-out zone to NSEC caused the zone to be invalid.
    - Fix a possible catalog zone issue during reconfiguration.
    - Fix the charts in the statistics channel.

    https://downloads.isc.org/isc/bind9/9.21.17/doc/arm/html/notes.html#notes-for-bind-9-21-17

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2026:0348-1 advisory.

    Upgrade to release 9.20.18:

    - CVE-2025-13878: Fixed incorrect length checks for BRID and HHIT records (bsc#1256997)

      Feature Changes:
      * Add more information to the rndc recursing output about         fetches.
      * Reduce the number of outgoing queries.
      * Provide more information when memory allocation fails.

      Bug Fixes:
      * Make DNSSEC key rollovers more robust.
      * Fix a catalog zone issue, where member zones could fail to         load.
      * Allow glue in delegations with QTYPE=ANY.
      * Fix slow speed when signing a large delegation zone with NSEC3         opt-out.
      * Reconfiguring an NSEC3 opt-out zone to NSEC caused the zone to         be invalid.
      * Fix a possible catalog zone issue during reconfiguration.
      * Fix the charts in the statistics channel.
      * Adding NSEC3 opt-out records could leave invalid records in         chain.
      * Fix spurious timeouts while resolving names.
      * Fix bug where zone switches from NSEC3 to NSEC after         retransfer.
      * AMTRELAY type 0 presentation format handling was wrong.
      * Fix parsing bug in remote-servers with key or TLS.
      * Fix DoT reconfigure/reload bug in the resolver.
      * Skip unsupported algorithms when looking for a signing key.
      * Fix dnssec-keygen key collision checking for KEY RRtype keys.
      * dnssec-verify now uses exit code 1 when failing due to illegal         options.
      * Prevent assertion failures of dig when a server is specified         before the -b option.
      * Skip buffer allocations if not logging.

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 43 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2026-567ff6c687 advisory.

    # Update to 9.18.44 (rhbz#2431609)

    ## Security Fixes:

    - Fix incorrect length checks for BRID and HHIT records. (CVE-2025-13878)

    ## Bug Fixes:

    - Allow glue in delegations with QTYPE=ANY.
    - Reconfiguring an NSEC3 opt-out zone to NSEC caused the zone to be invalid.

    https://downloads.isc.org/isc/bind9/9.18.44/doc/arm/html/notes.html#notes-for-bind-9-18-44

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote openSUSE 16 host has packages installed that are affected by a vulnerability as referenced in the openSUSE- SU-2026:20091-1 advisory.

    Upgrade to release 9.20.18:

    - CVE-2025-13878: Fixed incorrect length checks for BRID and HHIT records (bsc#1256997)

      Feature Changes:
      * Add more information to the rndc recursing output about         fetches.
      * Reduce the number of outgoing queries.
      * Provide more information when memory allocation fails.

      Bug Fixes:
      * Make DNSSEC key rollovers more robust.
      * Fix a catalog zone issue, where member zones could fail to         load.
      * Allow glue in delegations with QTYPE=ANY.
      * Fix slow speed when signing a large delegation zone with NSEC3         opt-out.
      * Reconfiguring an NSEC3 opt-out zone to NSEC caused the zone to         be invalid.
      * Fix a possible catalog zone issue during reconfiguration.
      * Fix the charts in the statistics channel.
      * Adding NSEC3 opt-out records could leave invalid records in         chain.
      * Fix spurious timeouts while resolving names.
      * Fix bug where zone switches from NSEC3 to NSEC after         retransfer.
      * AMTRELAY type 0 presentation format handling was wrong.
      * Fix parsing bug in remote-servers with key or TLS.
      * Fix DoT reconfigure/reload bug in the resolver.
      * Skip unsupported algorithms when looking for a signing key.
      * Fix dnssec-keygen key collision checking for KEY RRtype keys.
      * dnssec-verify now uses exit code 1 when failing due to illegal         options.
      * Prevent assertion failures of dig when a server is specified         before the -b option.
      * Skip buffer allocations if not logging.

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 12 / 13 host has packages installed that are affected by a vulnerability as referenced in the dsa-6107 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-6107-1                   security@debian.org     https://www.debian.org/security/                     Salvatore Bonaccorso     January 22, 2026                      https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : bind9     CVE ID         : CVE-2025-13878

    Vlatko Kosturjak discovered that BIND, a DNS server implementation, does     not properly handle malformed BRID/HHIT records, which may result in     denial of service (named daemon crash).

    For the oldstable distribution (bookworm), this problem has been fixed     in version 1:9.18.44-1~deb12u1.

    For the stable distribution (trixie), this problem has been fixed in     version 1:9.20.18-1~deb13u1.

    We recommend that you upgrade your bind9 packages.

    For the detailed security status of bind9 please refer to its security     tracker page at:
    https://security-tracker.debian.org/tracker/bind9

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 44 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2026-925e7cce85 advisory.

    # Update to 9.18.44 (rhbz#2431609)

    ## Security Fixes:

    - Fix incorrect length checks for BRID and HHIT records. (CVE-2025-13878)

    ## Bug Fixes:

    - Allow glue in delegations with QTYPE=ANY.
    - Reconfiguring an NSEC3 opt-out zone to NSEC caused the zone to be invalid.

    https://downloads.isc.org/isc/bind9/9.18.44/doc/arm/html/notes.html#notes-for-bind-9-18-44


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of bind installed on the remote host is prior to 9.18.44 / 9.20.18. It is, therefore, affected by a vulnerability as referenced in the SSA:2026-021-01 advisory.

    New bind packages are available for Slackware 15.0 and -current to fix security issues.

Tenable has extracted the preceding description block directly from the bind security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
298815	ISC BIND 9.18.40 < 9.18.44 / 9.18.40-S1 < 9.18.44-S1 / 9.20.13 < 9.20.18 / 9.20.13-S1 < 9.20.18-S1 / 9.21.12 < 9.21.17 Vulnerability (cve-2025-13878)	Nessus	DNS	high
298296	Fedora 42 : bind / bind-dyndb-ldap (2026-34c921d252)	Nessus	Fedora Local Security Checks	high
297453	Fedora 43 : bind9-next (2026-b31c8d8e83)	Nessus	Fedora Local Security Checks	high
297449	Fedora 42 : bind9-next (2026-d8979b7a9c)	Nessus	Fedora Local Security Checks	high
297417	SUSE SLED15 / SLES15 Security Update : bind (SUSE-SU-2026:0348-1)	Nessus	SuSE Local Security Checks	high
296673	Fedora 43 : bind / bind-dyndb-ldap (2026-567ff6c687)	Nessus	Fedora Local Security Checks	high
296570	openSUSE 16 Security Update : bind (openSUSE-SU-2026:20091-1)	Nessus	SuSE Local Security Checks	high
295331	Debian dsa-6107 : bind9 - security update	Nessus	Debian Local Security Checks	high
295325	Fedora 44 : bind / bind-dyndb-ldap (2026-925e7cce85)	Nessus	Fedora Local Security Checks	high
294902	Slackware Linux 15.0 / current bind Vulnerability (SSA:2026-021-01)	Nessus	Slackware Local Security Checks	high

Detections

Analytics

CVE-2025-13878

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high