CVE-2025-31498: c-ares use-after-free

[Brad House <brad () brad-house com>]

   CVE-2025-31498


     Impact

Use after free() in read_answers() when process_answer() may re-enqueue 
a query either due to a DNS Cookie Failure or when the upstream server 
does not properly support EDNS, or possibly on TCP queries if the remote 
closed the connection immediately after a response. If there was an 
issue trying to put that new transaction on the wire, it would close the 
connection handle, but read_answers() was still expecting the connection 
handle to be available to possibly dequeue other responses.

In theory a remote attacker might be able to trigger this by flooding 
the target with ICMP UNREACHABLE packets if they also control the 
upstream nameserver and can return a result with one of those 
conditions, this has been untested. Otherwise only a local attacker 
might be able to change system behavior to make send()/write() return a 
failure condition.


     Patches

Versions 1.32.3 - 1.34.4 are affected. Patch in 1.34.5.


     Workarounds

None


     References

c-ares started handling UDP write failures in 1.32.3 in PR#821 
<https://github.com/c-ares/c-ares/pull/821>whereas they were previously 
ignored, thus uncovering this particular issue.

https://github.com/c-ares/c-ares/releases/tag/v1.34.5


     Credit


Reported by Erik Lax