CVE-2025-31498

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-31498
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-31498.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-31498
Aliases
  • GHSA-6hxc-62jh-p29v
Related
Published
2025-04-08T14:15:35Z
Modified
2025-04-11T04:53:27.450955Z
Summary
[none]
Details

c-ares is an asynchronous resolver library. From 1.32.3 through 1.34.4, there is a use-after-free in readanswers() when processanswer() may re-enqueue a query either due to a DNS Cookie Failure or when the upstream server does not properly support EDNS, or possibly on TCP queries if the remote closed the connection immediately after a response. If there was an issue trying to put that new transaction on the wire, it would close the connection handle, but read_answers() was still expecting the connection handle to be available to possibly dequeue other responses. In theory a remote attacker might be able to trigger this by flooding the target with ICMP UNREACHABLE packets if they also control the upstream nameserver and can return a result with one of those conditions, this has been untested. Otherwise only a local attacker might be able to change system behavior to make send()/write() return a failure condition. This vulnerability is fixed in 1.34.5.

References

Affected packages

Alpine:v3.21 / c-ares

Package

Name
c-ares
Purl
pkg:apk/alpine/c-ares?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.34.5-r0

Affected versions

1.*

1.6.0-r0
1.6.0-r1
1.7.0-r0
1.7.0-r1
1.7.3-r0
1.7.4-r0
1.7.4-r1
1.7.4-r2
1.7.5-r0
1.8.0-r0
1.9.0-r0
1.9.1-r0
1.10.0-r0
1.10.0-r1
1.11.0-r0
1.12.0-r0
1.13.0-r0
1.13.0-r1
1.14.0-r0
1.15.0-r0
1.15.0-r1
1.16.0-r0
1.16.1-r0
1.17.1-r0
1.17.1-r1
1.17.2-r0
1.18.1-r0
1.18.1-r1
1.19.0-r0
1.19.0-r1
1.19.0-r2
1.19.0-r3
1.19.0-r4
1.19.1-r0
1.19.1-r1
1.20.1-r0
1.21.0-r0
1.22.0-r0
1.22.1-r0
1.23.0-r0
1.24.0-r0
1.25.0-r0
1.25.0-r1
1.26.0-r0
1.27.0-r0
1.28.1-r0
1.29.0-r0
1.31.0-r0
1.32.0-r0
1.32.1-r0
1.32.2-r0
1.32.3-r0
1.33.0-r0
1.33.1-r0
1.34.1-r0
1.34.2-r0
1.34.2-r1
1.34.2-r2
1.34.3-r0
1.34.4-r0

Debian:13 / c-ares

Package

Name
c-ares
Purl
pkg:deb/debian/c-ares?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.34.5-1

Affected versions

1.*

1.18.1-3
1.19.0-1
1.19.1-1
1.19.1-2
1.19.1-3
1.20.0-1
1.20.0-2
1.20.0-3
1.20.1-1
1.21.0-1
1.22.0-1
1.22.1-1
1.23.0-1
1.24.0-1
1.25.0-1
1.26.0-1
1.26.0-1.1~exp1
1.27.0-1
1.27.0-1.1~exp1
1.27.0-1.1
1.27.0-1.2
1.28.1-1
1.29.0-1
1.30.0-1
1.31.0-1
1.32.2-1
1.32.2-2
1.32.3-1
1.33.0-1
1.33.1-1
1.33.1-2
1.34.2-1
1.34.3-1
1.34.4-1
1.34.4-2
1.34.4-2.1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/c-ares/c-ares

Affected ranges

Type
GIT
Repo
https://github.com/c-ares/c-ares
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

Other

c-ares-1_17_0
c-ares-1_2_0
cares-1_10_0
cares-1_11_0
cares-1_11_0-rc1
cares-1_12_0
cares-1_13_0
cares-1_14_0
cares-1_15_0
cares-1_16_0
cares-1_16_1
cares-1_17_1
cares-1_17_2
cares-1_18_0
cares-1_18_1
cares-1_19_0
cares-1_19_1
cares-1_1_0
cares-1_20_0
cares-1_20_1
cares-1_21_0
cares-1_22_0
cares-1_22_1
cares-1_23_0
cares-1_24_0
cares-1_25_0
cares-1_26_0
cares-1_27_0
cares-1_28_0
cares-1_28_1
cares-1_29_0
cares-1_2_1
cares-1_3_1
cares-1_3_2
cares-1_4_0
cares-1_5_0
cares-1_5_1
cares-1_5_2
cares-1_5_3
cares-1_6_0
cares-1_7_0
cares-1_7_1
cares-1_7_2
cares-1_7_3
cares-1_7_4
cares-1_7_5
cares-1_8_0
cares-1_9_0
cares-1_9_1
curl-7_10_8
curl-7_11_0
curl-7_11_1
curl-7_12_0
curl-7_12_1
curl-7_12_2
curl-7_13_0
curl-7_13_1
curl-7_13_2
curl-7_14_0
curl-7_14_1
curl-7_15_0
curl-7_15_1
curl-7_15_3
curl-7_15_4
curl-7_15_5
curl-7_15_6-prepipeline
curl-7_16_0
curl-7_16_1
curl-7_16_2
curl-7_16_3
curl-7_16_4
curl-7_17_0
curl-7_17_1
curl-7_18_0
curl-7_18_1
curl-7_18_2
curl-7_19_0
curl-7_19_2
curl-7_19_3
curl-7_19_4
curl-7_19_5
curl-7_19_6
curl-7_19_7
curl-7_20_0

v1.*

v1.31.0