Updated: 2026-02-27 03:16:41.415059
Description:
c-ares is a C library for asynchronous DNS requests. `ares__read_line()` is used to parse local configuration files such as `/etc/resolv.conf`, `/etc/nsswitch.conf`, the `HOSTALIASES` file, and if using a c-ares version prior to 1.27.0, the `/etc/hosts` file. If any of these configuration files has an embedded `NULL` character as the first character in a new line, it can lead to attempting to read memory prior to the start of the given buffer which may result in a crash. This issue is fixed in c-ares 1.27.0. No known workarounds exist.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | 0.0 | |
| CVSS Version 3.x | MEDIUM | 5.5 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| AlmaLinux 9.2 ESU | c-ares | 1.17.1 | 5.5 | MEDIUM | Released | CLSA-2025:1744721593 | 2025-04-16 04:33:23 | |
| AlmaLinux 9.2 ESU | nodejs | 16.20.2 | 5.5 | MEDIUM | Released | CLSA-2025:1756408700 | 2025-08-28 23:01:08 | |
| CentOS 7 ELS | c-ares | 1.10.0 | 5.5 | MEDIUM | Ignored | 2025-02-12 06:31:44 | Ignored due to low severity | |
| Oracle Linux 7 ELS | c-ares | 1.10.0 | 5.5 | MEDIUM | Ignored | 2025-10-07 16:39:43 | Ignored due to low severity | |
| TuxCare 9.6 ESU | nodejs | 16.20.2 | 5.5 | MEDIUM | Already Fixed | 2026-01-30 14:49:44 |