Every CVE whose affected-product data names C-ares Project C-ares, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (9)
CVE-2016-5180 — CVSS 9.8 (critical): Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of…
CVE-2022-4904 — CVSS 8.6 (high): A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a…
CVE-2023-32067 — CVSS 7.5 (high): c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker…
CVE-2017-1000381 — CVSS 7.5 (high): The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the…
CVE-2020-8277 — CVSS 7.5 (high): A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in…
CVE-2023-31147 — CVSS 5.9 (medium): c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random…
CVE-2021-3672 — CVSS 5.6 (medium): A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to…
CVE-2023-31130 — CVSS 4.1 (medium): c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in…
CVE-2023-31124 — CVSS 3.7 (low): c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be…