How to fix CVE-2025-24294?

Within 24 hours: Inventory all systems and applications using the resolv library and assess exposure; enable DNS query logging and rate limiting on DNS resolvers. Within 7 days: Deploy network-level DNS packet size restrictions and implement rate-limiting rules to detect anomalous DNS query patterns; establish monitoring alerts for CPU spikes on DNS-dependent services. Within 30 days: Monitor vendor security advisories for patch availability; evaluate alternative DNS resolution libraries; conduct load testing with malformed DNS packets to validate mitigation effectiveness.

Is Dns affected by CVE-2025-24294?

A high-severity vulnerability in DNS packet processing could allow attackers to crash applications by sending specially crafted DNS requests, causing service unavailability.

CVE-2025-24294

HIGH

2025-07-12 [email protected]

GHSA-xh69-987w-hrp8

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 16, 2026 - 08:56 vuln.today

CVE Published

Jul 12, 2025 - 04:15 nvd

HIGH 7.5

Description

The attack vector is a potential Denial of Service (DoS). The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet. An attacker can craft a malicious DNS packet containing a highly compressed domain name. When the resolv library parses such a packet, the name decompression process consumes a large amount of CPU resources, as the library does not limit the resulting length of the name. This resource consumption can cause the application thread to become unresponsive, resulting in a Denial of Service condition.

Analysis

CVE-2025-24294 is a Denial of Service vulnerability in DNS packet parsing libraries (specifically the resolv library) caused by insufficient validation of decompressed domain name lengths. An attacker can send a crafted DNS packet with a highly compressed domain name that, when decompressed, consumes excessive CPU resources without limit, causing the parsing thread to become unresponsive. The vulnerability affects any application using the vulnerable resolv library and has a CVSS score of 7.5 (high severity); real-world exploitation probability and active exploitation status cannot be confirmed without EPSS score and KEV data.

Technical Context

The vulnerability exists in DNS packet parsing, specifically in the name decompression mechanism defined in RFC 1035. DNS names in packets use pointer compression to reduce packet size—labels can reference previous portions of the packet via offset pointers. The resolv library implements this decompression but fails to enforce a maximum length limit on the resulting decompressed domain name (CWE-400: Uncontrolled Resource Consumption). An attacker can craft a packet where pointer chains cause exponential expansion during decompression (e.g., pointer A→B→C→D→... creating a deeply nested chain). The library processes this without bounds checking, causing runaway CPU consumption in the decompression loop. This affects any C/C++ application linking against the vulnerable resolv library (typically glibc's DNS resolution functions or musl libc in embedded systems).

Affected Products

The vulnerability specifically affects applications using the resolv library for DNS packet parsing. Without CPE data provided, likely affected products include: (1) glibc versions prior to patched releases (affects Linux distributions: Red Hat Enterprise Linux, Ubuntu, Debian, CentOS); (2) musl libc (affects Alpine Linux and embedded systems); (3) Any DNS resolver application: systemd-resolved, BIND (if using vulnerable resolv), Unbound (if using vulnerable underlying library), PowerDNS; (4) Applications with embedded DNS parsing code. Specific version ranges cannot be confirmed without vendor advisories. Users should consult: Red Hat Security Advisories, Ubuntu Security Notices, Debian Security Advisories, glibc release notes, and respective vendor security pages for exact affected version ranges and patch availability.

Remediation

1. **Patch immediately**: Update glibc, musl libc, or affected DNS resolver to patched versions when released by vendors. Check Red Hat, Ubuntu, Debian, and Alpine security advisories for CVE-2025-24294 patch availability. 2. **Workarounds (temporary)**: Implement rate limiting on DNS queries from untrusted sources; deploy DNS query validation at firewall/IDS layer to drop malformed packets with excessive pointer chains; restrict DNS service to trusted networks only. 3. **Detection**: Monitor DNS resolution threads for CPU spikes and unresponsive processes; implement DNS packet anomaly detection (flag packets with deeply nested pointer chains or decompressed names exceeding 255 octets per RFC 1035). 4. **Validation**: After patching, verify the resolv library properly enforces a maximum decompressed name length (typically 255 octets per DNS specification) and has bounded decompression loop iterations.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +38

POC: 0

Vendor Status

Ubuntu

Priority: Medium

ruby2.3

Release	Status	Version
xenial	needs-triage	-
jammy	DNE	-
noble	DNE	-
plucky	DNE	-
upstream	needs-triage	-
questing	DNE	-

ruby2.5

Release	Status	Version
jammy	DNE	-
noble	DNE	-
plucky	DNE	-
upstream	needs-triage	-
bionic	released	2.5.1-1ubuntu1.16+esm5
questing	DNE	-

ruby2.7

Release	Status	Version
jammy	DNE	-
noble	DNE	-
plucky	DNE	-
upstream	needs-triage	-
focal	released	2.7.0-5ubuntu1.18+esm1
questing	DNE	-

ruby3.0

Release	Status	Version
noble	DNE	-
plucky	DNE	-
upstream	needs-triage	-
jammy	released	3.0.2-7ubuntu2.11
questing	DNE	-

ruby3.2

Release	Status	Version
jammy	DNE	-
plucky	DNE	-
upstream	released	3.2.9
noble	released	3.2.3-1ubuntu0.24.04.6
questing	DNE	-

ruby3.3

Release	Status	Version
jammy	DNE	-
noble	DNE	-
upstream	released	3.3.9
plucky	released	3.3.7-1ubuntu2.1
questing	released	3.3.8-2ubuntu2

jruby

Release	Status	Version
trusty	needs-triage	-
xenial	needs-triage	-
bionic	needs-triage	-
focal	needs-triage	-
jammy	DNE	-
noble	needs-triage	-
upstream	needs-triage	-
plucky	ignored	end of life, was needs-triage
questing	needs-triage	-

rubygems

Release	Status	Version
upstream	needs-triage	-
jammy	not-affected	code not present
noble	not-affected	code not present
plucky	released	3.6.3-1ubuntu0.1
questing	released	3.6.7-2ubuntu1

USN-7735-1 USN-7734-1

Debian

Bug #1109337

ruby2.7

Release	Status	Fixed Version	Urgency
bullseye	vulnerable	2.7.4-1+deb11u1	-
bullseye (security)	vulnerable	2.7.4-1+deb11u5	-
(unstable)	fixed	(unfixed)	-

ruby3.1

Release	Status	Fixed Version	Urgency
bookworm, bookworm (security)	vulnerable	3.1.2-7+deb12u1	-
(unstable)	fixed	(unfixed)	-

ruby3.3

Release	Status	Fixed Version	Urgency
forky, sid, trixie	vulnerable	3.3.8-2	-
(unstable)	fixed	(unfixed)	-

CVE-2025-24294 vulnerability details – vuln.today

Back

CVE-2025-24294

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

CVE-2025-24294

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

External POC / Exploit Code