Updated: 2026-02-27 01:14:54.22723
Description:
c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | 0.0 | |
| CVSS Version 3.x | LOW | 3.7 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| AlmaLinux 9.2 ESU | c-ares | 1.17.1 | 3.7 | LOW | Released | CLSA-2025:1744721593 | 2025-04-16 04:33:21 | |
| AlmaLinux 9.2 ESU | nodejs | 16.20.2 | 3.7 | LOW | Ignored | 2025-08-23 06:48:15 | ||
| CentOS 7 ELS | c-ares | 1.10.0 | 3.7 | LOW | Ignored | 2024-07-17 17:24:54 | Ignored due to low severity |