c-ares is an asynchronous resolver library. From 1.32.3 through 1.34.4, there is a use-after-free in read_answers() when process_answer() may re-enqueue a query either due to a DNS Cookie Failure or when the upstream server does not properly support EDNS, or possibly on TCP queries if the remote closed the connection immediately after a response. If there was an issue trying to put that new transaction on the wire, it would close the connection handle, but read_answers() was still expecting the connection handle to be available to possibly dequeue other responses. In theory a remote attacker might be able to trigger this by flooding the target with ICMP UNREACHABLE packets if they also control the upstream nameserver and can return a result with one of those conditions, this has been untested. Otherwise only a local attacker might be able to change system behavior to make send()/write() return a failure condition. This vulnerability is fixed in 1.34.5.
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory “belongs” to the code that operates on the new pointer.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Red Hat Enterprise Linux 10 | RedHat | nodejs22-1:22.15.0-1.el10_0 | * |
| Red Hat Enterprise Linux 8 | RedHat | nodejs:22-8100020250429143334.6d880403 | * |
| Red Hat Enterprise Linux 8 | RedHat | nodejs:20-8100020250425153222.489197e6 | * |
| Red Hat Enterprise Linux 9 | RedHat | nodejs:20-9060020250425155626.rhel9 | * |
| Red Hat Enterprise Linux 9 | RedHat | nodejs:22-9060020250428105352.rhel9 | * |
| Red Hat Enterprise Linux 9.4 Extended Update Support | RedHat | nodejs:20-9040020250506133952.rhel9 | * |
| C-ares | Ubuntu | oracular | * |
| C-ares | Ubuntu | plucky | * |
| C-ares | Ubuntu | upstream | * |