CVE-2020-14354

Name of the Vulnerable Software and Affected Versions c-ares lib version 1.16.0

Description The issue is related to a possible use-after-free and double-free in the c-ares library. This occurs when ares destroy() is called before ares getaddrinfo() completes. The flaw could allow an attacker to crash the service that uses the c-ares library, with the highest threat being to the service's availability.

Recommendations For c-ares lib version 1.16.0, ensure that ares getaddrinfo() completes before calling ares destroy() to prevent potential crashes. As a temporary workaround, consider avoiding the use of ares destroy() until ares getaddrinfo() has finished, or implement a delay between these function calls to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.