{"id":"CVE-2025-31498","summary":"c-ares has a use-after-free in read_answers()","details":"c-ares is an asynchronous resolver library. From 1.32.3 through 1.34.4, there is a use-after-free in read_answers() when process_answer() may re-enqueue a query either due to a DNS Cookie Failure or when the upstream server does not properly support EDNS, or possibly on TCP queries if the remote closed the connection immediately after a response. If there was an issue trying to put that new transaction on the wire, it would close the connection handle, but read_answers() was still expecting the connection handle to be available to possibly dequeue other responses. In theory a remote attacker might be able to trigger this by flooding the target with ICMP UNREACHABLE packets if they also control the upstream nameserver and can return a result with one of those conditions, this has been untested. Otherwise only a local attacker might be able to change system behavior to make send()/write() return a failure condition. This vulnerability is fixed in 1.34.5.","aliases":["GHSA-6hxc-62jh-p29v"],"modified":"2026-04-12T15:14:59.294403Z","published":"2025-04-08T13:53:11.232Z","related":["ALSA-2025:4459","ALSA-2025:4461","ALSA-2025:7426","ALSA-2025:7433","ALSA-2025:7502","openSUSE-SU-2025:14977-1"],"database_specific":{"cwe_ids":["CWE-416"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/31xxx/CVE-2025-31498.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2025/04/08/3"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/31xxx/CVE-2025-31498.json"},{"type":"ADVISORY","url":"https://github.com/c-ares/c-ares/security/advisories/GHSA-6hxc-62jh-p29v"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-31498"},{"type":"FIX","url":"https://github.com/c-ares/c-ares/commit/29d38719112639d8c0ba910254a3dd4f482ea2d1"},{"type":"FIX","url":"https://github.com/c-ares/c-ares/pull/821"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/c-ares/c-ares","events":[{"introduced":"5899dea2b1f8e78f311aaed7db98b82b5537c9f9"},{"fixed":"d3a507e920e7af18a5efb7f9f1d8044ed4750013"}]}],"database_specific":{"vanir_signatures_modified":"2026-04-12T15:14:59Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-31498.json","vanir_signatures":[{"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["183820386375504628439630956336483954514","170014685547815473654439516312448625679","192301986981406392205274629667758677004"]},"deprecated":false,"source":"https://github.com/c-ares/c-ares/commit/d3a507e920e7af18a5efb7f9f1d8044ed4750013","target":{"file":"test/ares-test.h"},"id":"CVE-2025-31498-9a0b3975","signature_version":"v1"},{"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["81116089031050214011451836188209015915","162838051550196214214399184258581704251","43469785753896880235394251031198694807","315192769480595949567591829778951505391","151945359060543756337994838726187054016","4652532077793734052313542969621399193","8166236055823631336014910238969959370","183733288092116747831016764635171599088","103970777799673874031399546191976003248"]},"deprecated":false,"source":"https://github.com/c-ares/c-ares/commit/d3a507e920e7af18a5efb7f9f1d8044ed4750013","target":{"file":"test/ares-test.cc"},"id":"CVE-2025-31498-dac768b8","signature_version":"v1"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N"}]}