EUVD-2025-28273
GHSA-5qpg-rh4j-qp35
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Lifecycle Timeline
4Description
pycares is a Python module which provides an interface to c-ares. c-ares is a C library that performs DNS requests and name resolutions asynchronously. Prior to version 4.9.0, pycares is vulnerable to a use-after-free condition that occurs when a Channel object is garbage collected while DNS queries are still pending. This results in a fatal Python error and interpreter crash. The vulnerability has been fixed in pycares 4.9.0 by implementing a safe channel destruction mechanism.
Analysis
pycares versions prior to 4.9.0 contain a use-after-free vulnerability (CWE-416) in the Channel object that crashes the Python interpreter when garbage collection occurs during pending DNS queries. This denial-of-service vulnerability affects any application using pycares for asynchronous DNS resolution; attackers can trigger interpreter crashes by manipulating DNS query timing, though no active exploitation or public POC is documented. The CVSS 8.2 score reflects high availability impact, but real-world exploitability is limited by the requirement for application-level DNS query patterns and Python garbage collection timing.
Technical Context
pycares is a Python binding (CPE: pycares) that wraps c-ares (a C library for asynchronous DNS name resolution per RFC 1035). The vulnerability exists in the Channel class, which manages DNS queries asynchronously. When a Channel object is garbage collected while DNS queries remain pending, the underlying c-ares library structures are freed, but active query callbacks may still reference this freed memory—a classic use-after-free condition (CWE-416: Use After Free). This occurs at the memory safety boundary between Python's garbage-collected heap and c-ares' manually-managed C memory, where Python's reference counting may release the Channel before c-ares completes query cleanup. The fix in v4.9.0 implements safe channel destruction logic to ensure pending queries complete or are properly cancelled before memory is released.
Affected Products
pycares (< 4.9.0)
Remediation
Upgrade pycares to version 4.9.0 or later; details: Applies safe channel destruction mechanism that ensures pending queries complete or are cancelled before memory release; verification: pip show pycares | grep Version (confirm 4.9.0+) Workaround (Temporary): Explicit Channel cleanup before application exit or scope end; details: Manually call channel.close() or use context managers to ensure Channel lifecycle is explicit; avoids reliance on Python garbage collection timing; code_example: with Channel() as ch: query(ch) # ensures cleanup Mitigation: Monitor DNS query patterns and Python process stability; details: Implement health checks; if using pycares pre-4.9.0, track correlated interpreter crashes with DNS query bursts
Priority Score
Vendor Status
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| bionic | needs-triage | - |
| focal | needs-triage | - |
| jammy | needs-triage | - |
| noble | needs-triage | - |
| upstream | needs-triage | - |
| plucky | ignored | end of life, was needs-triage |
| oracular | ignored | end of life, was needs-triage |
| questing | needs-triage | - |
Debian
Bug #1109377| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 3.1.1-1 | - |
| bookworm | vulnerable | 4.3.0-2 | - |
| trixie | vulnerable | 4.4.0-2 | - |
| forky, sid | fixed | 5.0.1-3 | - |
| (unstable) | fixed | 4.9.0-1 | - |
Share
External POC / Exploit Code
Leaving vuln.today