{
  "variant_id": "pruva-cares-cve-2026-33630-timeout-reentrant-cancel",
  "created_at": "2026-07-07T00:00:00Z",
  "variant_summary": "Distinct vulnerable-version alternate trigger for CVE-2026-33630: a real UDP DNS peer withholds a response, driving process_timeouts(); the timeout callback reenters c-ares via public ares_cancel(), causing a vulnerable-only double free in v1.34.6. The candidate is not a bypass because v1.34.7 blocks it with ares_flush_requeue() detach-before-callback handling.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "https://github.com/c-ares/c-ares",
  "submitted_target": {
    "target_kind": "git_tag",
    "commit_sha": "3ac47ee46edd8ea40370222f91613fc16c434853",
    "version": "1.34.6",
    "ref": "v1.34.6",
    "display": "c-ares v1.34.6 parent vulnerable target"
  },
  "variant_target": {
    "target_kind": "git_tag",
    "commit_sha": "3ac47ee46edd8ea40370222f91613fc16c434853",
    "version": "1.34.6",
    "ref": "v1.34.6",
    "display": "c-ares v1.34.6 alternate timeout trigger; fixed control v1.34.7 d63b7de3a3568d14ab1351374b205365aed51cca"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "medium",
  "claimed_surface": "dns_remote",
  "validated_surface": "dns_remote_timeout_reentrant_cancel",
  "required_entrypoint_kind": "dns_query_timeout",
  "required_entrypoint_detail": "Application issues public ares_query_dnsrec(); DNS peer receives the UDP query and withholds the response; process_timeouts() invokes the callback, which reenters through public ares_cancel().",
  "attacker_controlled_input": "Remote DNS peer controls response timing by withholding DNS replies. Reentrant ares_cancel() is modeled as application callback behavior and is required to exercise the lifetime bug.",
  "trigger_path": "ares_query_dnsrec() -> UDP blackhole DNS peer -> process_timeouts() -> ares_requeue_query(... requeue=NULL) -> end_query() -> callback -> ares_cancel() -> second callback/free -> outer ares_free_query() double free in v1.34.6",
  "observed_impact_class": "memory_corruption",
  "exploitability_confidence": "medium",
  "evidence_scope": "runtime_side_by_side_vulnerable_and_fixed",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "claim_block_reason": "not_a_bypass_fixed_version_covers_timeout_alternate_trigger",
  "blocking_mitigation": "v1.34.7 contains fix commit d823199b688052dcdc1646f2ab4cb8c16b1c644a; process_timeouts(), read_answers(), and ares_send_query() drain through ares_flush_requeue(), which detaches before invoking callbacks.",
  "file_path": "src/lib/ares_process.c",
  "line_start": 692,
  "line_end": 724,
  "secondary_anchors": [
    {
      "file_path": "src/lib/ares_process.c",
      "line_start": 970,
      "line_end": 1002
    },
    {
      "file_path": "src/lib/ares_process.c",
      "line_start": 1474,
      "line_end": 1486
    },
    {
      "file_path": "src/lib/ares_cancel.c",
      "line_start": 58,
      "line_end": 74
    },
    {
      "file_path": "src/lib/ares_process.c (fixed v1.34.7)",
      "line_start": 604,
      "line_end": 676
    }
  ],
  "review_scope_paths": [
    "src/lib/ares_process.c",
    "src/lib/ares_cancel.c",
    "src/lib/ares_destroy.c",
    "src/lib/ares_close_sockets.c",
    "src/lib/ares_getaddrinfo.c",
    "src/lib/ares_query.c",
    "src/lib/ares_search.c",
    "SECURITY.md",
    "README.md"
  ],
  "artifact_refs": {
    "variant_manifest": "vuln_variant/variant_manifest.json",
    "validation_verdict": "vuln_variant/validation_verdict.json",
    "runtime_manifest": "vuln_variant/runtime_manifest.json",
    "repro_log": "logs/vuln_variant_reproduction_steps.log",
    "root_cause_equivalence": "vuln_variant/root_cause_equivalence.json",
    "reproducer": [
      "vuln_variant/reproduction_steps.sh",
      "vuln_variant/timeout_cancel_probe.c"
    ]
  }
}
