OFFSITE.DARK
← Signals

Jun 29, 2026

1 min

Sploitus / Exploitarium

  • c-ares
  • uaf
  • dns
  • exploitarium

news

c-ares TCP ares_getaddrinfo() UAF Calc PoC

Loopback DNS-over-TCP EDNS retry sequence leaves stale skip-list state; cleanup reaches attacker-shaped destructor — calc proof on main and v1.34.6.

Summary

Loopback DNS-over-TCP EDNS retry sequence leaves stale skip-list state; cleanup reaches attacker-shaped destructor — calc proof on main and v1.34.6. This proof-of-concept is one of 30 folders in the Exploitarium collection. OFFSITE.DARK summarizes the upstream README and PoC design; we did not discover or weaponize this flaw.

Key Findings

FindingDetail
Product / targetc-ares main @ c93e50f3 and release v1.34.6
PrimitiveTCP DNS double-response + connection reset → UAF in query cleanup
ImpactControlled code execution in harness linking affected c-ares (not universal app exploit).

Attack Chain

ares_getaddrinfo(EDNS|USEVC) → FORMERR then success → TCP reset → shaped allocator → proof_marker()

Mitigation

Track c-ares advisories; isolate resolver in separate process where feasible.

Related Signals

Sources

→ Source