CVE-2025-31498
c-ares has a use-after-free in read_answers()
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
c-ares has a use-after-free in read_answers()
c-ares is an asynchronous resolver library. From 1.32.3 through 1.34.4, there is a use-after-free in read_answers() when process_answer() may re-enqueue a query either due to a DNS Cookie Failure or when the upstream server does not properly support EDNS, or possibly on TCP queries if the remote closed the connection immediately after a response. If there was an issue trying to put that new transaction on the wire, it would close the connection handle, but read_answers() was still expecting the connection handle to be available to possibly dequeue other responses. In theory a remote attacker might be able to trigger this by flooding the target with ICMP UNREACHABLE packets if they also control the upstream nameserver and can return a result with one of those conditions, this has been untested. Otherwise only a local attacker might be able to change system behavior to make send()/write() return a failure condition. This vulnerability is fixed in 1.34.5.
Reserved 2025-03-28 | Published 2025-04-08 | Updated 2025-04-08 | Assigner GitHub_Mgithub.com/...c-ares/security/advisories/GHSA-6hxc-62jh-p29v
github.com/c-ares/c-ares/pull/821
github.com/...ommit/29d38719112639d8c0ba910254a3dd4f482ea2d1
Support options
