Updated: 2026-02-27 02:12:17.872604
Description:
c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | 0.0 | |
| CVSS Version 3.x | MEDIUM | 6.5 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| AlmaLinux 9.2 ESU | c-ares | 1.17.1 | 6.5 | MEDIUM | Released | CLSA-2025:1744721593 | 2025-04-16 04:33:20 | |
| AlmaLinux 9.2 ESU | nodejs | 16.20.2 | 6.5 | MEDIUM | Already Fixed | 2025-08-28 00:57:14 | ||
| CentOS 7 ELS | c-ares | 1.10.0 | 6.5 | MEDIUM | Ignored | 2024-07-12 05:05:40 | Ignored due to low severity |