CVE-2026-33630
Public on 2026-07-08
Modified on 2026-07-08
Description
A use-after-free / double-free in c-ares' query-completion handling. The
same flaw — a query's callback being invoked while the query is still
linked in the channel's internal lookup structures — is present at
multiple points in the resend/finish path (timeout handling, response
handling, and query dispatch). If the query, or for `ares_getaddrinfo()`
the owning `host_query`, is freed as a side effect of that callback, it
is then accessed and/or freed a second time.
same flaw — a query's callback being invoked while the query is still
linked in the channel's internal lookup structures — is present at
multiple points in the resend/finish path (timeout handling, response
handling, and query dispatch). If the query, or for `ares_getaddrinfo()`
the owning `host_query`, is freed as a side effect of that callback, it
is then accessed and/or freed a second time.
Severity
See what this means
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | c-ares | Not Affected | ||
| Amazon Linux 2023 | c-ares | Not Affected | ||
| Amazon Linux 2023 | nodejs | No Fix Planned | ||
| Amazon Linux 2023 | nodejs20 | No Fix Planned | ||
| Amazon Linux 2023 | nodejs22 | Pending Fix | ||
| Amazon Linux 2023 | nodejs24 | Pending Fix |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |