Use-after-free Vulnerability in c-ares Library by c-ares Team
CVE-2025-31498

8.3HIGH

Key Information:

Vendor: C-ares
Status: C-ares
Vendor: CVE Published:; 8 April 2025

What is CVE-2025-31498?

The c-ares library, a widely used asynchronous resolver for DNS, has a use-after-free vulnerability in the read_answers() function affecting versions from 1.32.3 to 1.34.4. This issue arises when process_answer() reallocates a query due to specific conditions such as DNS Cookie failures or improper handling of EDNS by an upstream server. Affected parties may face risks if the library is subjected to rapid ICMP UNREACHABLE packets from a malicious service or, in some scenarios, alter local system behaviors, complicating the execution of send() or write(). This issue has been resolved in version 1.34.5.

Affected Version(s)

c-ares >= 1.32.3, < 1.34.5

References

https://github.com/c-ares/c-ares/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/c-ares/c-ares/pull/821

x_refsource_MISC

https://github.com/c-ares/c-ares/commit/29d38719112639d8c...

x_refsource_MISC

CVSS V4

Score:

8.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2025
Vulnerability Reserved
Mar 28, 2025

C-ares

What is CVE-2025-31498?

Affected Version(s)

References

CVSS V4

Timeline