CVE-2026-33630

Public on 2026-07-08
Modified on 2026-07-08
Description
A use-after-free / double-free in c-ares' query-completion handling. The
same flaw — a query's callback being invoked while the query is still
linked in the channel's internal lookup structures — is present at
multiple points in the resend/finish path (timeout handling, response
handling, and query dispatch). If the query, or for `ares_getaddrinfo()`
the owning `host_query`, is freed as a side effect of that callback, it
is then accessed and/or freed a second time.
Severity
Important severity
Important
See what this means
CVSS v3 Base Score
7.5
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2 - Core c-ares Not Affected
Amazon Linux 2023 c-ares Not Affected
Amazon Linux 2023 nodejs No Fix Planned
Amazon Linux 2023 nodejs20 No Fix Planned
Amazon Linux 2023 nodejs22 Pending Fix
Amazon Linux 2023 nodejs24 Pending Fix

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H