{ "document": { "aggregate_severity": { "text": "Medium" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/centos8.4els/vex/2025/cve-2025-24294-els_os-centos8_4els.json" } ], "tracking": { "current_release_date": "2026-04-08T20:33:43Z", "generator": { "date": "2026-04-08T20:33:43Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2025-24294-ELS_OS-CENTOS8.4ELS", "initial_release_date": "2025-07-12T03:30:00Z", "revision_history": [ { "date": "2025-07-12T03:30:00Z", "number": "1", "summary": "Initial version" }, { "date": "2026-04-08T20:33:43Z", "number": "2", "summary": "Official Publication" } ], "status": "final", "version": "2" }, "title": "Security update on CVE-2025-24294" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Community Enterprise Operating System 8.4", "product": { "name": "Community Enterprise Operating System 8.4", "product_id": "CentOS-8.4", "product_identification_helper": { "cpe": "cpe:2.3:o:centos:centos:8.4:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Community Enterprise Operating System" }, { "branches": [ { "category": "product_version", "name": "cpp-0:8.4.1-1.el8.4.x86_64", "product": { "name": "cpp-0:8.4.1-1.el8.4.x86_64", "product_id": "cpp-0:8.4.1-1.el8.4.x86_64", "product_identification_helper": { "purl": "pkg:rpm/centos/cpp@8.4.1-1.el8.4?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "Red Hat, Inc." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "cpp-0:8.4.1-1.el8.4.tuxcare.els2.x86_64", "product": { "name": "cpp-0:8.4.1-1.el8.4.tuxcare.els2.x86_64", "product_id": "cpp-0:8.4.1-1.el8.4.tuxcare.els2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/cpp@8.4.1-1.el8.4.tuxcare.els2?arch=x86_64" } } }, { "category": "product_version", "name": "cpp-0:8.4.1-1.el8.4.tuxcare.els1.x86_64", "product": { "name": "cpp-0:8.4.1-1.el8.4.tuxcare.els1.x86_64", "product_id": "cpp-0:8.4.1-1.el8.4.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/cpp@8.4.1-1.el8.4.tuxcare.els1?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "cpp-0:8.4.1-1.el8.4.tuxcare.els2.x86_64 as a component of Community Enterprise Operating System 8.4", "product_id": "CentOS-8.4:cpp-0:8.4.1-1.el8.4.tuxcare.els2.x86_64" }, "product_reference": "cpp-0:8.4.1-1.el8.4.tuxcare.els2.x86_64", "relates_to_product_reference": "CentOS-8.4" }, { "category": "default_component_of", "full_product_name": { "name": "cpp-0:8.4.1-1.el8.4.x86_64 as a component of Community Enterprise Operating System 8.4", "product_id": "CentOS-8.4:cpp-0:8.4.1-1.el8.4.x86_64" }, "product_reference": "cpp-0:8.4.1-1.el8.4.x86_64", "relates_to_product_reference": "CentOS-8.4" }, { "category": "default_component_of", "full_product_name": { "name": "cpp-0:8.4.1-1.el8.4.tuxcare.els1.x86_64 as a component of Community Enterprise Operating System 8.4", "product_id": "CentOS-8.4:cpp-0:8.4.1-1.el8.4.tuxcare.els1.x86_64" }, "product_reference": "cpp-0:8.4.1-1.el8.4.tuxcare.els1.x86_64", "relates_to_product_reference": "CentOS-8.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2025-24294", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "notes": [ { "category": "description", "text": "The attack vector is a potential Denial of Service (DoS). The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet.\nAn attacker can craft a malicious DNS packet containing a highly compressed domain name. When the resolv library parses such a packet, the name decompression process consumes a large amount of CPU resources, as the library does not limit the resulting length of the name.\nThis resource consumption can cause the application thread to become unresponsive, resulting in a Denial of Service condition.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "known_affected": [ "CentOS-8.4:cpp-0:8.4.1-1.el8.4.tuxcare.els1.x86_64", "CentOS-8.4:cpp-0:8.4.1-1.el8.4.tuxcare.els2.x86_64", "CentOS-8.4:cpp-0:8.4.1-1.el8.4.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-24294" } ], "release_date": "2025-07-12T03:30:00Z", "remediations": [ { "category": "no_fix_planned", "details": "This is a denial‑of‑service condition limited to Ruby’s resolv library: it only causes CPU burn during DNS name decompression with no confidentiality or integrity impact, and its effect is typically confined to the calling thread rather than the whole host. The flaw is reachable only in Ruby applications that explicitly use resolv/Resolv::DNS (or resolv-replace) to parse DNS replies; applications that rely on the operating system resolver (e.g., getaddrinfo) are not exposed. Exploitation also requires an attacker to have a crafted DNS response accepted by that Ruby resolver (such as by being on‑path or controlling an upstream resolver), a constrained precondition in centrally managed server/VM environments, so this can be safely deprioritized.", "product_ids": [ "CentOS-8.4:cpp-0:8.4.1-1.el8.4.tuxcare.els1.x86_64", "CentOS-8.4:cpp-0:8.4.1-1.el8.4.tuxcare.els2.x86_64", "CentOS-8.4:cpp-0:8.4.1-1.el8.4.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" }, "products": [ "CentOS-8.4:cpp-0:8.4.1-1.el8.4.tuxcare.els1.x86_64", "CentOS-8.4:cpp-0:8.4.1-1.el8.4.tuxcare.els2.x86_64", "CentOS-8.4:cpp-0:8.4.1-1.el8.4.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }