The Domain Name System (DNS) plays a pivotal role, translating human-friendly domain names into the numerical IP addresses that computers understand. And at the heart of many applications facilitating this translation lies c-ares, a robust, asynchronous DNS resolver library. But even the most steadfast tools can harbor hidden vulnerabilities, as evidenced by the recent disclosure of CVE-2025-31498.
c-ares, lauded for its ability to handle DNS queries without blocking and to manage multiple queries in parallel, has been found susceptible to a significant βuse-after-freeβ vulnerability within its read_answers() function. This flaw, with a CVSSv4 score of 8.3, poses a considerable risk, particularly in scenarios involving DNS Cookie failures, upstream server EDNS incompatibilities, and potentially, TCP queries with abrupt connection closures.
The official security advisory explains: βUse after free() in read_answers() when process_answer() may re-enqueue a query either due to a DNS Cookie Failure or when the upstream server does not properly support EDNS, or possibly on TCP queries if the remote closed the connection immediately after a response.β
Imagine a scenario where a DNS query is re-queued due to a hiccup in the communication process. If this re-queued transaction encounters an issue when being sent, the connection handle might close prematurely. However, read_answers() remains oblivious, still expecting the handle to be active. This discrepancy creates a window of opportunity for attackers.
βIf there was an issue trying to put that new transaction on the wire, it would close the connection handle, but read_answers() was still expecting the connection handle to be available to possibly dequeue other responses,β the advisory warns.
While the advisory acknowledges that triggering this remotely βin theoryβ is possible, it would require a rather complex attack scenario, involving flooding the target with ICMP UNREACHABLE packets while controlling the upstream nameserver. However, local attackers have a more straightforward path, being able to manipulate system behaviors to cause send()/write() failures.
This vulnerability affects c-ares versions 1.32.3 through 1.34.4, necessitating immediate action. Fortunately, the c-ares team has swiftly released patches in version 1.34.5, providing crucial fixes.
For those running affected versions, here are the vital patch links:
1.34 Patches: https://github.com/c-ares/c-ares/commit/066b396.patch + https://github.com/c-ares/c-ares/compare/9a48eed..d3a507e.patch1.33 Patches: https://github.com/c-ares/c-ares/compare/69e1ad5..82489f2.patch1.32 Patches: https://github.com/c-ares/c-ares/commit/1bcdaf0.patch