CVE-2025-5994
published 2025-07-16CVE-2025-5994: A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound…
PriorityP345high8.7CVSS 4.0
AVNACLATNPRNUINVCNVIHVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRUVCREXUX
EPSS
0.19%
8.6th percentile
A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound is also vulnerable when compiled with ECS support, i.e., '--enable-subnet', AND configured to send ECS information along with queries to upstream name servers, i.e., at least one of the 'send-client-subnet', 'client-subnet-zone' or 'client-subnet-always-forward' options is used. Resolvers supporting ECS need to segregate outgoing queries to accommodate for different outgoing ECS information. This re-opens up resolvers to a birthday paradox attack (Rebirthday Attack) that tries to match the DNS transaction ID in order to cache non-ECS poisonous replies.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | unbound | < unbound 1.17.1-2+deb12u3 (bookworm) | unbound 1.17.1-2+deb12u3 (bookworm) |
| msrc | azl3_unbound_1.19.1-4_on_azure_linux_3.0 | — | — |
| msrc | cbl2_unbound_1.19.1-3_on_cbl_mariner_2.0 | — | — |
| nlnet_labs | unbound | >= 1.6.2 < 1.23.0 | 1.23.0 |
| nlnetlabs | unbound | >= 0 < 1.13.1-1+deb11u5 | 1.13.1-1+deb11u5 |
| nlnetlabs | unbound | >= 0 < 1.17.1-2+deb12u3 | 1.17.1-2+deb12u3 |
| nlnetlabs | unbound | >= 0 < 1.22.0-2 | 1.22.0-2 |
| nlnetlabs | unbound | >= 0 < 1.22.0-2 | 1.22.0-2 |
CVSS provenance
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:C/RE:X/U:X
osv8.7HIGH
vendor_debian8.7HIGH
vendor_msrc8.7HIGH
vendor_redhat8.7HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2025-5994: A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been discovered in caching resolvers that support EDNS Client Subnet (ECS)
osv·2025-07-16·CVSS 8.7
CVE-2025-5994 [HIGH] CVE-2025-5994: A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been discovered in caching resolvers that support EDNS Client Subnet (ECS)
A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound is also vulnerable when compiled with ECS support, i.e., '--enable-subnet', AND configured to send ECS information along with queries to upstream name servers, i.e., at least one of the 'send-client-subnet', 'client-subnet-zone' or 'client-subnet-always-forward' options is used. Resolvers supporting ECS need to segregate outgoing queries to accommodate for different outgoing ECS information. This re-opens up resolvers to a birthday paradox attack (Rebirthday Attack) that tries to match the DNS transaction ID in order to cache non-ECS poisonous replies.
GHSA
GHSA-xrv5-2wwg-jp3r: A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been discovered in caching resolvers that support EDNS Client Subnet (ECS)
ghsa_unreviewed·2025-07-16
CVE-2025-5994 [HIGH] CWE-349 GHSA-xrv5-2wwg-jp3r: A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been discovered in caching resolvers that support EDNS Client Subnet (ECS)
A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound is also vulnerable when compiled with ECS support, i.e., '--enable-subnet', AND configured to send ECS information along with queries to upstream name servers, i.e., at least one of the 'send-client-subnet', 'client-subnet-zone' or 'client-subnet-always-forward' options is used. Resolvers supporting ECS need to segregate outgoing queries to accommodate for different outgoing ECS information. This re-opens up resolvers to a birthday paradox attack (Rebirthday Attack) that tries to match the DNS transaction ID in order to cache non-ECS poisonous replies.
Ubuntu
Unbound vulnerabilities
vendor_ubuntu·2025-07-22
CVE-2025-5994 Unbound vulnerabilities
Title: Unbound vulnerabilities
Summary: The Unbound cache could be poisoned if it received specially crafted
network traffic.
Xiang Li discovered that Unbound incorrectly handled EDNS Client Subnet
(ECS) in certain configurations. A remote attacker could possibly use this
issue to perform a cache poisoning attack called Rebirthday Attack.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
unbound: Unbound Cache poisoning
vendor_redhat·2025-07-16·CVSS 8.7
CVE-2025-5994 [HIGH] CWE-349 unbound: Unbound Cache poisoning
unbound: Unbound Cache poisoning
A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound is also vulnerable when compiled with ECS support, i.e., '--enable-subnet', AND configured to send ECS information along with queries to upstream name servers, i.e., at least one of the 'send-client-subnet', 'client-subnet-zone' or 'client-subnet-always-forward' options is used. Resolvers supporting ECS need to segregate outgoing queries to accommodate for different outgoing ECS information. This re-opens up resolvers to a birthday paradox attack (Rebirthday Attack) that tries to match the DNS transaction ID in order to cache non-ECS poisonous replies.
A cache poisoning flaw was found in Unbound. Re
Microsoft
Cache poisoning via the ECS-enabled Rebirthday Attack
vendor_msrc·2025-07-08·CVSS 8.7
CVE-2025-5994 [HIGH] CWE-349 Cache poisoning via the ECS-enabled Rebirthday Attack
Cache poisoning via the ECS-enabled Rebirthday Attack
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
NLnet Labs: NLnet Labs
Customer Action Required: Yes
Debian
CVE-2025-5994: unbound - A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been ...
vendor_debian·2025·CVSS 8.7
CVE-2025-5994 [HIGH] CVE-2025-5994: unbound - A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been ...
A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound is also vulnerable when compiled with ECS support, i.e., '--enable-subnet', AND configured to send ECS information along with queries to upstream name servers, i.e., at least one of the 'send-client-subnet', 'client-subnet-zone' or 'client-subnet-always-forward' options is used. Resolvers supporting ECS need to segregate outgoing queries to accommodate for different outgoing ECS information. This re-opens up resolvers to a birthday paradox attack (Rebirthday Attack) that tries to match the DNS transaction ID in order to cache non-ECS poisonous replies.
Scope: local
bookworm: resolved (fixed in 1.17.1-2+deb12u3)
bullseye: resolved (fi
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-07-16
Published