{"id":"CVE-2023-31137","summary":"MaraDNS Integer Underflow Vulnerability in DNS Packet Decompression","details":"MaraDNS is open-source software that implements the Domain Name System (DNS). In version 3.5.0024 and prior, a remotely exploitable integer underflow vulnerability in the DNS packet decompression function allows an attacker to cause a Denial of Service by triggering an abnormal program termination.\n\nThe vulnerability exists in the `decomp_get_rddata` function within the `Decompress.c` file. When handling a DNS packet with an Answer RR of qtype 16 (TXT record) and any qclass, if the `rdlength` is smaller than `rdata`, the result of the line `Decompress.c:886` is a negative number `len = rdlength - total;`. This value is then passed to the `decomp_append_bytes` function without proper validation, causing the program to attempt to allocate a massive chunk of memory that is impossible to allocate. Consequently, the program exits with an error code of 64, causing a Denial of Service.\n\nOne proposed fix for this vulnerability is to patch `Decompress.c:887` by breaking `if(len \u003c= 0)`, which has been incorporated in version 3.5.0036 via commit bab062bde40b2ae8a91eecd522e84d8b993bab58.","aliases":["GHSA-58m7-826v-9c3c"],"modified":"2026-05-01T04:19:04.035976Z","published":"2023-05-09T13:56:46.219Z","database_specific":{"cna_assigner":"GitHub_M","unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"last_affected":"3.5.0024"}]}],"cwe_ids":["CWE-191"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/31xxx/CVE-2023-31137.json"},"references":[{"type":"WEB","url":"https://github.com/samboy/MaraDNS/blob/08b21ea20d80cedcb74aa8f14979ec7c61846663/dns/Decompress.c#L886"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/06/msg00019.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3VSMLJX25MXGQ6A7UPOGK7VPUVDESPHL/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NB7LDZM5AGWC5BHHQHW6CP5OFNBBKFOQ/"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/31xxx/CVE-2023-31137.json"},{"type":"ADVISORY","url":"https://github.com/samboy/MaraDNS/security/advisories/GHSA-58m7-826v-9c3c"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-31137"},{"type":"ADVISORY","url":"https://www.debian.org/security/2023/dsa-5441"},{"type":"FIX","url":"https://github.com/samboy/MaraDNS/commit/bab062bde40b2ae8a91eecd522e84d8b993bab58"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/samboy/MaraDNS","events":[{"introduced":"d498dc08141791194e4224e3159e0493bd52d447"},{"fixed":"08b21ea20d80cedcb74aa8f14979ec7c61846663"}],"database_specific":{"cpe":"cpe:2.3:a:maradns:maradns:*:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"introduced":"3.5.0001"},{"fixed":"3.5.0036"}]}}],"versions":["2020-08-04","2020-08-05","2020-08-06","3.5.0001","3.5.0002","3.5.0003","3.5.0004","3.5.0005","3.5.0006","3.5.0007","3.5.0008","3.5.0009","3.5.0010","3.5.0011","3.5.0012","3.5.0013","3.5.0014","3.5.0015","3.5.0016","3.5.0017","3.5.0018","3.5.0019","3.5.0020","3.5.0021","3.5.0022","3.5.0023","3.5.0024","3.5.0025","3.5.0026","3.5.0027","3.5.0028","3.5.0029","3.5.0030","3.5.0031","3.5.0032","3.5.0033","3.5.0034","3.5.0035","coLunacyDNS-1.0.002","coLunacyDNS-1.0.008","coLunacyDNS-1.0.009","coLunacyDNS-1.0.010","coLunacyDNS-1.0.012"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-31137.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/samboy/maradns","events":[{"introduced":"0"},{"fixed":"bab062bde40b2ae8a91eecd522e84d8b993bab58"}],"database_specific":{"source":"REFERENCES"}}],"versions":["2.0.12-RELEASE","2.0.13","2.0.16","2016-05-05","2017-11-11","2018-04-11","2018-08-13","2018-08-17","2020-08-04","2020-08-05","2020-08-06","3.2.06","3.4.01","3.5.0001","3.5.0002","3.5.0003","3.5.0004","3.5.0005","3.5.0006","3.5.0007","3.5.0008","3.5.0009","3.5.0010","3.5.0011","3.5.0012","3.5.0013","3.5.0014","3.5.0015","3.5.0016","3.5.0017","3.5.0018","3.5.0019","3.5.0020","3.5.0021","3.5.0022","3.5.0023","3.5.0024","3.5.0025","3.5.0026","3.5.0027","3.5.0028","3.5.0029","3.5.0030","3.5.0031","3.5.0032","3.5.0033","3.5.0034","3.5.0035","coLunacyDNS-1.0.002","coLunacyDNS-1.0.008","coLunacyDNS-1.0.009","coLunacyDNS-1.0.010","coLunacyDNS-1.0.012","deadwood-3.2.10","deadwood-3.2.13","deadwood-3.3.01","deadwood-3.3.02","maradns-2.0.10","maradns-2.0.10a","maradns-2.0.11","maradns-2.0.14","maradns-2.0.17"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-31137.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}