{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-31498", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-03-28T13:36:51.300Z", "datePublished": "2025-04-08T13:53:11.232Z", "dateUpdated": "2025-04-08T18:40:36.081Z"}, "containers": {"cna": {"title": "c-ares has a use-after-free in read_answers()", "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "lang": "en", "description": "CWE-416: Use After Free", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.3, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-6hxc-62jh-p29v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-6hxc-62jh-p29v"}, {"name": "https://github.com/c-ares/c-ares/pull/821", "tags": ["x_refsource_MISC"], "url": "https://github.com/c-ares/c-ares/pull/821"}, {"name": "https://github.com/c-ares/c-ares/commit/29d38719112639d8c0ba910254a3dd4f482ea2d1", "tags": ["x_refsource_MISC"], "url": "https://github.com/c-ares/c-ares/commit/29d38719112639d8c0ba910254a3dd4f482ea2d1"}], "affected": [{"vendor": "c-ares", "product": "c-ares", "versions": [{"version": ">= 1.32.3, < 1.34.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-04-08T13:53:11.232Z"}, "descriptions": [{"lang": "en", "value": "c-ares is an asynchronous resolver library. From 1.32.3 through 1.34.4, there is a use-after-free in read_answers() when process_answer() may re-enqueue a query either due to a DNS Cookie Failure or when the upstream server does not properly support EDNS, or possibly on TCP queries if the remote closed the connection immediately after a response. If there was an issue trying to put that new transaction on the wire, it would close the connection handle, but read_answers() was still expecting the connection handle to be available to possibly dequeue other responses. In theory a remote attacker might be able to trigger this by flooding the target with ICMP UNREACHABLE packets if they also control the upstream nameserver and can return a result with one of those conditions, this has been untested. Otherwise only a local attacker might be able to change system behavior to make send()/write() return a failure condition. This vulnerability is fixed in 1.34.5."}], "source": {"advisory": "GHSA-6hxc-62jh-p29v", "discovery": "UNKNOWN"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/04/08/3"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-04-08T15:03:00.750Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-08T18:40:21.274882Z", "id": "CVE-2025-31498", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-08T18:40:36.081Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/04/08/3"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-04-08T15:03:00.750Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-31498", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-08T18:40:21.274882Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-08T18:40:29.275Z"}}], "cna": {"title": "c-ares has a use-after-free in read_answers()", "source": {"advisory": "GHSA-6hxc-62jh-p29v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "c-ares", "product": "c-ares", "versions": [{"status": "affected", "version": ">= 1.32.3, < 1.34.5"}]}], "references": [{"url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-6hxc-62jh-p29v", "name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-6hxc-62jh-p29v", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/c-ares/c-ares/pull/821", "name": "https://github.com/c-ares/c-ares/pull/821", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/c-ares/c-ares/commit/29d38719112639d8c0ba910254a3dd4f482ea2d1", "name": "https://github.com/c-ares/c-ares/commit/29d38719112639d8c0ba910254a3dd4f482ea2d1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "c-ares is an asynchronous resolver library. From 1.32.3 through 1.34.4, there is a use-after-free in read_answers() when process_answer() may re-enqueue a query either due to a DNS Cookie Failure or when the upstream server does not properly support EDNS, or possibly on TCP queries if the remote closed the connection immediately after a response. If there was an issue trying to put that new transaction on the wire, it would close the connection handle, but read_answers() was still expecting the connection handle to be available to possibly dequeue other responses. In theory a remote attacker might be able to trigger this by flooding the target with ICMP UNREACHABLE packets if they also control the upstream nameserver and can return a result with one of those conditions, this has been untested. Otherwise only a local attacker might be able to change system behavior to make send()/write() return a failure condition. This vulnerability is fixed in 1.34.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416: Use After Free"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-04-08T13:53:11.232Z"}}}, "cveMetadata": {"cveId": "CVE-2025-31498", "state": "PUBLISHED", "dateUpdated": "2025-04-08T18:40:36.081Z", "dateReserved": "2025-03-28T13:36:51.300Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-04-08T13:53:11.232Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "c-ares is an asynchronous resolver library. From 1.32.3 through 1.34.4, there is a use-after-free in read_answers() when process_answer() may re-enqueue a query either due to a DNS Cookie Failure or when the upstream server does not properly support EDNS, or possibly on TCP queries if the remote closed the connection immediately after a response. If there was an issue trying to put that new transaction on the wire, it would close the connection handle, but read_answers() was still expecting the connection handle to be available to possibly dequeue other responses. In theory a remote attacker might be able to trigger this by flooding the target with ICMP UNREACHABLE packets if they also control the upstream nameserver and can return a result with one of those conditions, this has been untested. Otherwise only a local attacker might be able to change system behavior to make send()/write() return a failure condition. This vulnerability is fixed in 1.34.5."}, {"lang": "es", "value": "c-ares es una librer\u00eda de resoluci\u00f3n as\u00edncrona. Desde la versi\u00f3n 1.32.3 hasta la 1.34.4, existe un m\u00e9todo de use-after-free en read_answers() cuando process_answer() puede volver a poner en cola una consulta debido a un fallo de cookie DNS, a que el servidor ascendente no soporta correctamente EDNS o, posiblemente, en consultas TCP si el servidor remoto cerr\u00f3 la conexi\u00f3n inmediatamente despu\u00e9s de una respuesta. Si hubiera un problema al intentar enviar esa nueva transacci\u00f3n, se cerrar\u00eda el identificador de conexi\u00f3n, pero read_answers() segu\u00eda esperando que este estuviera disponible para, posiblemente, retirar otras respuestas de la cola. En teor\u00eda, un atacante remoto podr\u00eda activar esto inundando el objetivo con paquetes ICMP UNREACHABLE si tambi\u00e9n controla el servidor de nombres ascendente y puede devolver un resultado con una de esas condiciones; esto no se ha probado. De lo contrario, solo un atacante local podr\u00eda modificar el comportamiento del sistema para que send()/write() devuelva una condici\u00f3n de fallo. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 1.34.5."}], "id": "CVE-2025-31498", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-04-08T14:15:35.293", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/c-ares/c-ares/commit/29d38719112639d8c0ba910254a3dd4f482ea2d1"}, {"source": "security-advisories@github.com", "url": "https://github.com/c-ares/c-ares/pull/821"}, {"source": "security-advisories@github.com", "url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-6hxc-62jh-p29v"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2025/04/08/3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:7502", "cpe": "cpe:/o:redhat:enterprise_linux:10.0", "package": "nodejs22-1:22.15.0-1.el10_0", "product_name": "Red Hat Enterprise Linux 10", "release_date": "2025-05-13T00:00:00Z"}, {"advisory": "RHSA-2025:4459", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:22-8100020250429143334.6d880403", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2025-05-05T00:00:00Z"}, {"advisory": "RHSA-2025:4461", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:20-8100020250425153222.489197e6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2025-05-05T00:00:00Z"}, {"advisory": "RHSA-2025:7426", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "nodejs:20-9060020250425155626.rhel9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-05-13T00:00:00Z"}, {"advisory": "RHSA-2025:7433", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "nodejs:22-9060020250428105352.rhel9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-05-13T00:00:00Z"}, {"advisory": "RHSA-2025:7537", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "nodejs:20-9040020250506133952.rhel9", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2025-05-14T00:00:00Z"}], "bugzilla": {"description": "c-ares: c-ares has a use-after-free in read_answers()", "id": "2358271", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358271"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H", "status": "verified"}, "cwe": "CWE-416", "details": ["c-ares is an asynchronous resolver library. From 1.32.3 through 1.34.4, there is a use-after-free in read_answers() when process_answer() may re-enqueue a query either due to a DNS Cookie Failure or when the upstream server does not properly support EDNS, or possibly on TCP queries if the remote closed the connection immediately after a response. If there was an issue trying to put that new transaction on the wire, it would close the connection handle, but read_answers() was still expecting the connection handle to be available to possibly dequeue other responses. In theory a remote attacker might be able to trigger this by flooding the target with ICMP UNREACHABLE packets if they also control the upstream nameserver and can return a result with one of those conditions, this has been untested. Otherwise only a local attacker might be able to change system behavior to make send()/write() return a failure condition. This vulnerability is fixed in 1.34.5.", "A flaw was found in c-ares. This vulnerability allows a remote or local attacker to cause a use-after-free, potentially leading to application-level denial of service or other unexpected behavior via manipulation of DNS responses or network conditions during query processing."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-31498", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "c-ares", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "c-ares", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "c-ares", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "c-ares", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nodejs:18/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "c-ares", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "nodejs:18/nodejs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2025-04-08T13:53:11Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-31498\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-31498\nhttps://github.com/c-ares/c-ares/commit/29d38719112639d8c0ba910254a3dd4f482ea2d1\nhttps://github.com/c-ares/c-ares/pull/821\nhttps://github.com/c-ares/c-ares/security/advisories/GHSA-6hxc-62jh-p29v"], "statement": "This vulnerability is rated as moderate severity rather than important because successful exploitation requires a complex and unlikely set of conditions. While it is a use-after-free bug\u2014typically a serious issue\u2014the ability to trigger it remotely is largely theoretical. An attacker would need to control an upstream DNS server and simultaneously flood the target with ICMP UNREACHABLE packets to influence network behavior precisely, a scenario that is difficult to achieve in practice. Additionally, local exploitation depends on manipulating low-level socket behavior to induce send() or write() failures, which also requires elevated system influence or specific environmental conditions.\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-416: Use After Free vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\nAccess to the platform is granted only after successful hard token-based multi-factor authentication (MFA) and is governed by least privilege to ensure that only authorized users and roles can execute or modify code. Red Hat also enforces least functionality, enabling only essential features, services, and ports. Hardening guidelines ensure the most restrictive settings required for operations, while baseline configurations enforce safe memory allocation and deallocation practices to reduce the risk of use-after-free vulnerabilities. The environment employs IPS/IDS and antimalware solutions to detect and prevent malicious code and provide real-time visibility into memory usage, lowering the risk of arbitrary code execution. Static code analysis and peer reviews enforce strong input validation and error handling, reducing the likelihood of denial-of-service (DoS) attacks. In the event of successful exploitation, process isolation prevents a compromised process from accessing memory freed by another, containing potential impact. Finally, memory protection mechanisms such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) enhance resilience against memory-related vulnerabilities.", "threat_severity": "Moderate"}

{}