GCVE - cpe:2.3:a:n/a:c-ares:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:n/a:c-ares:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	N/A (`22f567d3-1203-528c-8f0e-3eb9c2f6ca78`)
Product	C Ares (`ad104b8a-bc94-51ed-b702-08ce106018c0`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2022-4904`	vulnerable	2026-06-08 05:52:02.165362	Details available A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity. Published: 2023-03-06T00:00:00.000Z Updated: 2025-12-02T20:25:58.780Z Open on db.gcve.eu Reference links https://bugzilla.redhat.com/show_bug.cgi?id=2168631 https://github.com/c-ares/c-ares/issues/496 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33LDNS6RPOPP36Z4MPWXALUQZXJCWJS2/ https://security.gentoo.org/glsa/202401-02	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2021-3672`	vulnerable	2026-06-08 05:33:53.383773	Details available A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability. Published: 2021-11-23T00:00:00.000Z Updated: 2024-10-15T17:14:27.220Z Open on db.gcve.eu Reference links https://bugzilla.redhat.com/show_bug.cgi?id=1988342 https://c-ares.haxx.se/adv_20210810.html https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://www.oracle.com/security-alerts/cpujul2022.html https://security.gentoo.org/glsa/202401-02	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2020-14354`	vulnerable	2026-06-08 05:19:23.092303	Details available A possible use-after-free and double-free in c-ares lib version 1.16.0 if ares_destroy() is called prior to ares_getaddrinfo() completing. This flaw possibly allows an attacker to crash the service that uses c-ares lib. The highest threat from this vulnerability is to this service availability. Published: 2021-05-13T13:38:56.000Z Updated: 2024-08-04T12:39:36.541Z Open on db.gcve.eu Reference links https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/ https://bugzilla.redhat.com/show_bug.cgi?id=1866838 https://packetstormsecurity.com/files/158755/GS20200804145053.txt https://c-ares.haxx.se/changelog.html https://github.com/c-ares/c-ares/commit/1cc7e83c3bdfaafbc5919c95025592d8de3a170e	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.