C-ares Project » C-ares : Security Vulnerabilities, CVEs, (Denial of service)
Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot.
Max CVSS
9.8
EPSS Score
4.52%
Published
2016-10-03
Updated
2023-09-15
A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.
Max CVSS
8.6
EPSS Score
0.06%
Published
2023-03-06
Updated
2024-01-05
A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions < 15.2.1, < 14.15.1, and < 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and 12.19.1.
Max CVSS
7.5
EPSS Score
0.76%
Published
2020-11-19
Updated
2022-05-10
c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1.
Max CVSS
7.5
EPSS Score
0.08%
Published
2023-05-25
Updated
2023-10-31
4 vulnerabilities found