c-ares is an asynchronous resolver library. From 1.32.3 through 1.34.4, there is a use-after-free in readanswers() when processanswer() may re-enqueue a query either due to a DNS Cookie Failure or when the upstream server does not properly support EDNS, or possibly on TCP queries if the remote closed the connection immediately after a response. If there was an issue trying to put that new transaction on the wire, it would close the connection handle, but read_answers() was still expecting the connection handle to be available to possibly dequeue other responses. In theory a remote attacker might be able to trigger this by flooding the target with ICMP UNREACHABLE packets if they also control the upstream nameserver and can return a result with one of those conditions, this has been untested. Otherwise only a local attacker might be able to change system behavior to make send()/write() return a failure condition. This vulnerability is fixed in 1.34.5.
{ "vanir_signatures": [ { "target": { "file": "test/ares-test-mock.cc" }, "id": "CVE-2025-31498-10e838eb", "source": "https://github.com/c-ares/c-ares/commit/29d38719112639d8c0ba910254a3dd4f482ea2d1", "digest": { "line_hashes": [ "224096307660494967075126981659390143777", "316584492157852318219749752785772135285", "177188122338034081861117701975235246164" ], "threshold": 0.9 }, "signature_version": "v1", "signature_type": "Line", "deprecated": false }, { "target": { "file": "test/ares-test-mock-ai.cc" }, "id": "CVE-2025-31498-1334e8c8", "source": "https://github.com/c-ares/c-ares/commit/29d38719112639d8c0ba910254a3dd4f482ea2d1", "digest": { "line_hashes": [ "1436877177975039831317575264470943359", "25244448408673247709983251779887324208", "165839986465120711819328927587544344453" ], "threshold": 0.9 }, "signature_version": "v1", "signature_type": "Line", "deprecated": false }, { "target": { "function": "ares_cookie_validate", "file": "src/lib/ares_cookie.c" }, "id": "CVE-2025-31498-173a92f5", "source": "https://github.com/c-ares/c-ares/commit/29d38719112639d8c0ba910254a3dd4f482ea2d1", "digest": { "length": 1596.0, "function_hash": "277082667692585280219983628762356093771" }, "signature_version": "v1", "signature_type": "Function", "deprecated": false }, { "target": { "function": "ares_requeue_query", "file": "src/lib/ares_process.c" }, "id": "CVE-2025-31498-17ba0c80", "source": "https://github.com/c-ares/c-ares/commit/29d38719112639d8c0ba910254a3dd4f482ea2d1", "digest": { "length": 603.0, "function_hash": "18771635613544251080931875494469252663" }, "signature_version": "v1", "signature_type": "Function", "deprecated": false }, { "target": { "function": "process_answer", "file": "src/lib/ares_process.c" }, "id": "CVE-2025-31498-1b9ffd41", "source": "https://github.com/c-ares/c-ares/commit/29d38719112639d8c0ba910254a3dd4f482ea2d1", "digest": { "length": 1983.0, "function_hash": "293054723865756648543835061220799475655" }, "signature_version": "v1", "signature_type": "Function", "deprecated": false }, { "target": { "file": "test/ares-test.h" }, "id": "CVE-2025-31498-37c58779", "source": "https://github.com/c-ares/c-ares/commit/29d38719112639d8c0ba910254a3dd4f482ea2d1", "digest": { "line_hashes": [ "129800446669305396353125348863213532396", "133337700181123435897548631795856808564", "124050909299892468328177482722688404591", "335601395212345449869783866877642123011", "54720973334533285614974118956384449484", "111114416968913494429234526486030458351", "142316505317293017866819687817769267486", "262446851771682951975641306849164492375", "160945677333895107378488500375611999928", "281280963387405444455464238860412751237", "260988261153491650533887113586247916127" ], "threshold": 0.9 }, "signature_version": "v1", "signature_type": "Line", "deprecated": false }, { "target": { "file": "test/ares-test.cc" }, "id": "CVE-2025-31498-4f83ef33", "source": "https://github.com/c-ares/c-ares/commit/29d38719112639d8c0ba910254a3dd4f482ea2d1", "digest": { "line_hashes": [ "107205191558033868904685146430534542602", "192405814576967836447266367247083511556", "144829440890748784227155338415792564638", "200220810391957392138176634571412893010", "139812142654765994478376356705997042850", "238118838251520367774138271950320456809", "172948854986953110597611845649204823756", "87742821237674622111044296616603525331", "229479623218737897591266531788246853789", "250381265578769223601026673477449317648", "55190894654770705352908767624312191990", "318616554860955525151660536037217943369", "29492047711532598517622481369570423537", "89586250455391140400518481121627306486", "194433563538414971795354522916816980627", "77211955589150245120183923072265221229", "117225085537565695717668930855374105055", "260983701532178311236226266666878275080" ], "threshold": 0.9 }, "signature_version": "v1", "signature_type": "Line", "deprecated": false }, { "target": { "file": "src/lib/ares_private.h" }, "id": "CVE-2025-31498-5957a825", "source": "https://github.com/c-ares/c-ares/commit/29d38719112639d8c0ba910254a3dd4f482ea2d1", "digest": { "line_hashes": [ "187058135902009178929862348476058742980", "245941981654646948149590721303157000135", "245182285910126972150042746186850492575", "326244556697874912369195306857419053871", "171456524266844580739256308657721862019", "333604494170303888960569548365480873453", "299689159274684892827765317877429747589", "227181741779183082274950146883974112961" ], "threshold": 0.9 }, "signature_version": "v1", "signature_type": "Line", "deprecated": false }, { "target": { "function": "ares_requeue_queries", "file": "src/lib/ares_close_sockets.c" }, "id": "CVE-2025-31498-675880b4", "source": "https://github.com/c-ares/c-ares/commit/29d38719112639d8c0ba910254a3dd4f482ea2d1", "digest": { "length": 228.0, "function_hash": "132830207916155997949474725274660738488" }, "signature_version": "v1", "signature_type": "Function", "deprecated": false }, { "target": { "function": "ares_send_query", "file": "src/lib/ares_process.c" }, "id": "CVE-2025-31498-6a0996be", "source": "https://github.com/c-ares/c-ares/commit/29d38719112639d8c0ba910254a3dd4f482ea2d1", "digest": { "length": 2170.0, "function_hash": "215646807030433524841682932203729356886" }, "signature_version": "v1", "signature_type": "Function", "deprecated": false }, { "target": { "file": "src/lib/ares_close_sockets.c" }, "id": "CVE-2025-31498-6c4518c1", "source": "https://github.com/c-ares/c-ares/commit/29d38719112639d8c0ba910254a3dd4f482ea2d1", "digest": { "line_hashes": [ "147224075748341956842513828929654022900", "165912276056610917785774428034396811371", "17209859502660168368103672068837650244", "25012326463725282642563666136638665329" ], "threshold": 0.9 }, "signature_version": "v1", "signature_type": "Line", "deprecated": false }, { "target": { "function": "process_timeouts", "file": "src/lib/ares_process.c" }, "id": "CVE-2025-31498-92116ec6", "source": "https://github.com/c-ares/c-ares/commit/29d38719112639d8c0ba910254a3dd4f482ea2d1", "digest": { "length": 563.0, "function_hash": "225933359929634977815033740725116604003" }, "signature_version": "v1", "signature_type": "Function", "deprecated": false }, { "target": { "file": "src/lib/ares_cookie.c" }, "id": "CVE-2025-31498-a217f5e5", "source": "https://github.com/c-ares/c-ares/commit/29d38719112639d8c0ba910254a3dd4f482ea2d1", "digest": { "line_hashes": [ "106144976454050888726725492795058160532", "53901478993898342165207035837316994069", "68829693763913987146331637967851092138", "140775828438196271236160185783592568970", "78366099080107361694475831042925704179", "59156940379917532358376598060648725058", "29709386716781310974778296818419394069", "139815746207235485643310553775089207933" ], "threshold": 0.9 }, "signature_version": "v1", "signature_type": "Line", "deprecated": false }, { "target": { "function": "read_answers", "file": "src/lib/ares_process.c" }, "id": "CVE-2025-31498-c6588e5e", "source": "https://github.com/c-ares/c-ares/commit/29d38719112639d8c0ba910254a3dd4f482ea2d1", "digest": { "length": 788.0, "function_hash": "102060083733474387777430797225488753394" }, "signature_version": "v1", "signature_type": "Function", "deprecated": false }, { "target": { "file": "src/lib/ares_process.c" }, "id": "CVE-2025-31498-cca3c6f7", "source": "https://github.com/c-ares/c-ares/commit/29d38719112639d8c0ba910254a3dd4f482ea2d1", "digest": { "line_hashes": [ "315291085617700883395605537883620608156", "172802194483309429388214046291459807438", "309996518509638432750433984846996215618", "75108550685117055466400597756469428795", "68654753038465326179582426660289463489", "77395952406493187343057186277961150343", "213051138191345144583947327118690269893", "40871608050147331740983530283105157994", "255823254558803452176228199920204716850", "236938200095594072376444335660335462568", "299519038163936793750430686785890298501", "327341705871646555403489421887085496785", "53792075913498540895317611702484483955", "94313362882267524752818932597626408589", "225867180612201611405613966374790115080", "84936667880181104973119588342212967461", "158665621001012360259782554048652218337", "284077076186663484171672579045388849758", "110767779020604511195210845059668315729", "98050878731725423039320045957692635018", "74218033779163308830325465699762259613", "42792152515380832268060793751981449916", "130971708648986851007219816160380323571", "100612493504936331488706362266335162857", "15842644341993068743514841835326153746", "74267085403329902478453798846807265106", "52413677239787837999124467928079739491", "79819200229582398185156536354175990372", "22052889034201848537582880163264683202", "245803953167198951561155929985115727278", "267952645240888199502265473518180246449", "215317797266952336900623110669039279889", "117280856697870069818648961972203711437", "8441757077535614342946100974143814479", "157723923250526173497583066057515374328", "235955871052712682336329693693433005465", "166276716208657157621418098072228057180", "26141004603665036618917402501831236173", "306655919475126359593804039851182236550", "318352562605495613666715756232549225143", "84057522473360322399587836936314943361", "28412573489438448501382199703739007683", "18157851637855096343845393485517778025", "335072295309707535252769929248448962230", "83281187511730811924360248841733415447", "182471717468603559176544108082151833492", "135647632860325845773649912527080946069", "62658997109764444464029016782810249327", "271541558417362765644181697481899323815", "240162191390039182925159753340197405530", "663048447165364657213996370440716041", "29581071380887587840482801390297538846", "15229101147031815492578261796439560515", "63139542161007946904149139354303968749", "155448010144867206139892042569088876227", "332041784196193397743373377949884151320", "130113849291935523070806830824851518735", "74933017218631728669202294501367256875", "317599666043773408679196094952694855119", "232689568451221785761049811966613448280", "167449145112554680484889206704787271588", "338059010784624819362196783495160511747", "193010041120239431686003661429351125102", "54775741383001862236849093519580403109", "295729677072171189918312037597353076857", "264455831370851252222758944796510045382", "201042158407601874256460560029869124072", "178961743804939130026820147039156666957", "234442061004562892109142447300307582554", "194272356314329528492957139787565219942", "143702413940329772963506001426179460861" ], "threshold": 0.9 }, "signature_version": "v1", "signature_type": "Line", "deprecated": false } ] }