CVE-2016-5180

Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ChromeCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 94%
VendorProductVersion
c-aresc-ares
1.0.0
c-aresc-ares
1.1.0
c-aresc-ares
1.2.0
c-aresc-ares
1.2.1
c-aresc-ares
1.3.0
c-aresc-ares
1.3.1
c-aresc-ares
1.3.2
c-aresc-ares
1.4.0
c-aresc-ares
1.5.0
c-aresc-ares
1.5.1
c-aresc-ares
1.5.2
c-aresc-ares
1.5.3
c-aresc-ares
1.6.0
c-aresc-ares
1.7.0
c-aresc-ares
1.7.1
c-aresc-ares
1.7.2
c-aresc-ares
1.7.3
c-aresc-ares
1.7.4
c-aresc-ares
1.7.5
c-aresc-ares
1.8.0
c-aresc-ares
1.9.0
c-aresc-ares
1.9.1
c-aresc-ares
1.10.0
c-ares_projectc-ares
1.11.0
debiandebian_linux
8.0
nodejsnode.js
0.10.0 ≤
𝑥
< 0.10.48
nodejsnode.js
0.12.0 ≤
𝑥
< 0.12.17
nodejsnode.js
4.0.0 ≤
𝑥
< 4.6.1
canonicalubuntu_linux
12.04
canonicalubuntu_linux
14.04
canonicalubuntu_linux
16.04
canonicalubuntu_linux
16.10
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
c-ares
bullseye (security)
1.17.1-1+deb11u3
fixed
bullseye
1.17.1-1+deb11u3
fixed
bookworm
1.18.1-3
fixed
sid
1.34.2-1
fixed
trixie
1.34.2-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
c-ares
zesty
not-affected
yakkety
Fixed 1.11.0-1ubuntu0.1
released
xenial
Fixed 1.10.0-3ubuntu0.1
released
trusty
Fixed 1.10.0-2ubuntu0.1
released
precise
not-affected
Common Weakness Enumeration
References
http://rhn.redhat.com/errata/RHSA-2017-0002.html
http://www.debian.org/security/2016/dsa-3682
http://www.securityfocus.com/bid/93243
http://www.ubuntu.com/usn/USN-3143-1
https://c-ares.haxx.se/CVE-2016-5180.patch
https://c-ares.haxx.se/adv_20160929.html
https://googlechromereleases.blogspot.in/2016/09/stable-channel-updates-for-chrome-os.html
https://security.gentoo.org/glsa/201701-28
https://source.android.com/security/bulletin/2017-01-01.html
http://rhn.redhat.com/errata/RHSA-2017-0002.html
http://www.debian.org/security/2016/dsa-3682
http://www.securityfocus.com/bid/93243
http://www.ubuntu.com/usn/USN-3143-1
https://c-ares.haxx.se/CVE-2016-5180.patch
https://c-ares.haxx.se/adv_20160929.html
https://googlechromereleases.blogspot.in/2016/09/stable-channel-updates-for-chrome-os.html
https://security.gentoo.org/glsa/201701-28
https://source.android.com/security/bulletin/2017-01-01.html