VYPR
← All advisories
Unrated severityNVD Advisory· Published Mar 20, 2018· Updated Aug 6, 2024

CVE-2014-2031

CVE-2014-2031

Description

Deadwood before 2.3.09, 3.x before 3.2.05, and as used in MaraDNS before 1.4.14 and 2.x before 2.0.09, allow remote attackers to cause a denial of service (out-of-bounds read and crash) by leveraging permission to perform recursive queries against Deadwood, related to a logic error.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A logic error in Deadwood recursive resolver allows remote attackers to cause a denial of service via out-of-bounds read.

Vulnerability

A logic error in Deadwood (the recursive DNS resolver used in MaraDNS) causes an out-of-bounds read when processing certain DNS queries. The bug exists in Deadwood versions before 2.3.09 and 3.x before 3.2.05, and consequently in MaraDNS versions before 1.4.14 and 2.x before 2.0.09 [1][2]. The flaw is in the code that handles recursive queries; specifically, a logic error makes it "make no sense to add begin and obj->len" [3], leading to an incorrect bounds check.

Exploitation

An attacker must have permission to perform recursive queries against a vulnerable Deadwood instance. By sending a specially crafted DNS query, the attacker triggers the logic error, causing an out-of-bounds read that results in a crash [2]. No authentication is required beyond the ability to send recursive queries.

Impact

Successful exploitation causes a denial of service (DoS) via crash of the Deadwood process, disrupting DNS resolution for legitimate users. The impact is limited to availability; no code execution or data disclosure is indicated.

Mitigation

The vulnerability is fixed in Deadwood 2.3.09 and 3.2.05, and in MaraDNS 1.4.14 and 2.0.09 [1]. Users should upgrade to these versions or later. No workaround is documented. MaraDNS 1.x is end-of-life as of June 21, 2015 [1]. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.

References
  1. MaraDNS security update
  2. 1066609 – (CVE-2014-2031, CVE-2014-2032) CVE-2014-2031 CVE-2014-2032 maradns: DoS due to incorrect bounds checking on certain strings
  3. security - Re: CVE request: MaraDNS DoS due to incorrect bounds checking on certain strings

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3
  • Maradns/Maradnsinferred2 versions
    >=2.0,<2.0.09+ 1 more
    • (no CPE)range: >=2.0,<2.0.09
    • (no CPE)range: <1.4.14 or >=2.0.0 <2.0.09
  • Deadwood/Deadwoodllm-fuzzy
    Range: <2.3.09 or >=3.0.0 <3.2.05

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.