<Vulnerability name="CVE-2026-33630">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Important</ThreatSeverity>
    <PublicDate>2026-07-07T00:00:00</PublicDate>
    <Bugzilla id="2497686" url="https://bugzilla.redhat.com/show_bug.cgi?id=2497686" xml:lang="en:us">
c-ares: c-ares: Use-after-free / double-free in query-completion handling
    </Bugzilla>
    <CVSS3 status="verified">
        <CVSS3BaseScore>7.5</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-416</CWE>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in c-ares. A use-after-free / double-free vulnerability exists in the query-completion handling path, where a query callback is invoked while the query is still linked in internal lookup structures. A remote attacker can exploit this via ares_getaddrinfo() over TCP by sending crafted DNS responses that force an EDNS-downgrade retry followed by a connection reset, causing the internal completion handler to access freed memory. This leads to memory corruption and a crash (denial of service), with potential for further impact depending on the allocator and build configuration.
    </Details>
    <Statement xml:lang="en:us">
A use-after-free / double-free vulnerability was found in c-ares' query-completion handling. The flaw is remotely exploitable without application cooperation via ares_getaddrinfo() over TCP: a malicious or on-path DNS server can force a specific sequence of responses (FORMERR without OPT record, duplicate query ID response, TCP reset) that causes the internal completion handler to access freed memory. An attacker can force the client onto TCP by setting the truncation (TC) bit in a UDP response.

The consequence is memory corruption leading to a crash (denial of service).

This is a broader fix for the pattern previously addressed in CVE-2025-31498. All versions of c-ares prior to 1.34.7 are affected.
    </Statement>
    <Mitigation xml:lang="en:us">
There is no complete mitigation for the remotely-triggered path. As a partial mitigation, use trusted DNS resolvers reached over a trusted transport (e.g., DNS-over-TLS). Avoid calling ares_cancel() from within a query callback to prevent the application-triggered path. Upgrade to c-ares 1.34.7 or later.
    </Mitigation>
    <AffectedRelease impact="important" cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <ReleaseDate>2026-07-07T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:36192">RHSA-2026:36192</Advisory>
        <Package name="c-ares-main">c-ares-main-1.34.7-1.hum1</Package>
    </AffectedRelease>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:10">
        <ProductName>Red Hat Enterprise Linux 10</ProductName>
        <FixState>Affected</FixState>
        <PackageName>c-ares</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:6">
        <ProductName>Red Hat Enterprise Linux 6</ProductName>
        <FixState>Out of support scope</FixState>
        <PackageName>c-ares</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:7">
        <ProductName>Red Hat Enterprise Linux 7</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>c-ares</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>c-ares</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:9">
        <ProductName>Red Hat Enterprise Linux 9</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>c-ares</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift:4">
        <ProductName>Red Hat OpenShift Container Platform 4</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>rhcos</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-33630
https://nvd.nist.gov/vuln/detail/CVE-2026-33630
https://github.com/c-ares/c-ares/commit/1fa3b86a0b8d18fe7b60f3228a01d770feb026bc
https://github.com/c-ares/c-ares/commit/d823199b688052dcdc1646f2ab4cb8c16b1c644a
    </References>
</Vulnerability>