CVE-2025-31498

NameCVE-2025-31498
Descriptionc-ares is an asynchronous resolver library. From 1.32.3 through 1.34.4, there is a use-after-free in read_answers() when process_answer() may re-enqueue a query either due to a DNS Cookie Failure or when the upstream server does not properly support EDNS, or possibly on TCP queries if the remote closed the connection immediately after a response. If there was an issue trying to put that new transaction on the wire, it would close the connection handle, but read_answers() was still expecting the connection handle to be available to possibly dequeue other responses. In theory a remote attacker might be able to trigger this by flooding the target with ICMP UNREACHABLE packets if they also control the upstream nameserver and can return a result with one of those conditions, this has been untested. Otherwise only a local attacker might be able to change system behavior to make send()/write() return a failure condition. This vulnerability is fixed in 1.34.5.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
c-ares (PTS)bullseye (security), bullseye1.17.1-1+deb11u3fixed
bookworm1.18.1-3fixed
sid, trixie1.34.5-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
c-aressourcebullseye(not affected)
c-aressourcebookworm(not affected)
c-aressource(unstable)1.34.5-1

Notes

[bookworm] - c-ares <not-affected> (Vulnerable code not present)
[bullseye] - c-ares <not-affected> (Vulnerable code not present)
https://github.com/c-ares/c-ares/security/advisories/GHSA-6hxc-62jh-p29v
Introduced after: https://github.com/c-ares/c-ares/commit/ccd11aa37771ece1956c791a6232995317ac595e (v1.32.3)
Search for package or bug name: Reporting problems