How severe is CVE-2025-31498?

This vulnerability has a severity rating of HIGH with a CVSS score of N/A out of 10.

What type of vulnerability is CVE-2025-31498?

This is classified as CWE-416, which is a common weakness in software security.

CVE-2025-31498

HIGH Year: 2025

Weakness Type

CWE-416

View all →

Vulnerability Description

c-ares is an asynchronous resolver library. From 1.32.3 through 1.34.4, there is a use-after-free in read_answers() when process_answer() may re-enqueue a query either due to a DNS Cookie Failure or when the upstream server does not properly support EDNS, or possibly on TCP queries if the remote closed the connection immediately after a response. If there was an issue trying to put that new transaction on the wire, it would close the connection handle, but read_answers() was still expecting the connection handle to be available to possibly dequeue other responses. In theory a remote attacker might be able to trigger this by flooding the target with ICMP UNREACHABLE packets if they also control the upstream nameserver and can return a result with one of those conditions, this has been untested. Otherwise only a local attacker might be able to change system behavior to make send()/write() return a failure condition. This vulnerability is fixed in 1.34.5.

CVE-2016-6082

CRITICAL

CVSS:10.0(Critical)

IBM BigFix Platform could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free race condition. An attacker could exploit this vulnerability to execute arbitrary ...

CWE-4162016

CVE-2009-3616

CRITICAL

CVSS:9.9(Critical)

Multiple use-after-free vulnerabilities in vnc.c in the VNC server in QEMU 0.10.6 and earlier might allow guest OS users to execute arbitrary code on the host OS by establishing a connection from a VN...

CWE-4162009

CVE-2008-5038

CRITICAL

CVSS:9.8(Critical)

Use-after-free vulnerability in the NetWare Core Protocol (NCP) feature in Novell eDirectory 8.7.3 SP10 before 8.7.3 SP10 FTF1 and 8.8 SP2 for Windows allows remote attackers to cause a denial of serv...

CWE-4162008

CVE-2010-2941

CRITICAL

CVSS:9.8(Critical)

ipp.c in cupsd in CUPS 1.4.4 and earlier does not properly allocate memory for attribute values with invalid string data types, which allows remote attackers to cause a denial of service (use-after-fr...

CWE-4162010

CVE-2010-4197

CRITICAL

CVSS:9.8(Critical)

Use-after-free vulnerability in WebKit, as used in Google Chrome before 7.0.517.44, webkitgtk before 1.2.6, and other products, allows remote attackers to cause a denial of service or possibly have un...

CWE-4162010

CVE-2010-4201

CRITICAL

CVSS:9.8(Critical)

Use-after-free vulnerability in Google Chrome before 7.0.517.44 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving text control select...

CWE-4162010

CVE-2025-31498

Vulnerability Description

Related Vulnerabilities

CVE-2016-6082

CVE-2009-3616

CVE-2008-5038

CVE-2010-2941

CVE-2010-4197

CVE-2010-4201