CVE-2025-31498

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-31498
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-31498.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-31498
Aliases
  • GHSA-6hxc-62jh-p29v
Downstream
Related
Published
2025-04-08T13:53:11Z
Modified
2025-10-21T19:33:57Z
Severity
  • 8.3 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
c-ares has a use-after-free in read_answers()
Details

c-ares is an asynchronous resolver library. From 1.32.3 through 1.34.4, there is a use-after-free in readanswers() when processanswer() may re-enqueue a query either due to a DNS Cookie Failure or when the upstream server does not properly support EDNS, or possibly on TCP queries if the remote closed the connection immediately after a response. If there was an issue trying to put that new transaction on the wire, it would close the connection handle, but read_answers() was still expecting the connection handle to be available to possibly dequeue other responses. In theory a remote attacker might be able to trigger this by flooding the target with ICMP UNREACHABLE packets if they also control the upstream nameserver and can return a result with one of those conditions, this has been untested. Otherwise only a local attacker might be able to change system behavior to make send()/write() return a failure condition. This vulnerability is fixed in 1.34.5.

Database specific 
{
    "cwe_ids": [
        "CWE-416"
    ]
}
References

Affected packages

Git / github.com/c-ares/c-ares

Affected ranges

Type
GIT
Repo
https://github.com/c-ares/c-ares
Events
Introduced
5899dea2b1f8e78f311aaed7db98b82b5537c9f9
Fixed
d3a507e920e7af18a5efb7f9f1d8044ed4750013

Database specific

vanir_signatures

[
    {
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "183820386375504628439630956336483954514",
                "170014685547815473654439516312448625679",
                "192301986981406392205274629667758677004"
            ]
        },
        "deprecated": false,
        "signature_type": "Line",
        "target": {
            "file": "test/ares-test.h"
        },
        "source": "https://github.com/c-ares/c-ares/commit/d3a507e920e7af18a5efb7f9f1d8044ed4750013",
        "id": "CVE-2025-31498-9a0b3975"
    },
    {
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "81116089031050214011451836188209015915",
                "162838051550196214214399184258581704251",
                "43469785753896880235394251031198694807",
                "315192769480595949567591829778951505391",
                "151945359060543756337994838726187054016",
                "4652532077793734052313542969621399193",
                "8166236055823631336014910238969959370",
                "183733288092116747831016764635171599088",
                "103970777799673874031399546191976003248"
            ]
        },
        "deprecated": false,
        "signature_type": "Line",
        "target": {
            "file": "test/ares-test.cc"
        },
        "source": "https://github.com/c-ares/c-ares/commit/d3a507e920e7af18a5efb7f9f1d8044ed4750013",
        "id": "CVE-2025-31498-dac768b8"
    }
]