PT-2023-6788 · C-Ares+10 · C-Ares+10
Hannes Moesl
·
Published
2023-05-22
·
Updated
2026-02-18
·
CVE-2023-31130
CVSS v3.1
6.4
Medium
| Vector | AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
c-ares versions prior to 1.19.1
Description
The issue is related to a buffer underflow in the
ares inet net pton() function for certain IPv6 addresses, such as "0::00:00:00/2". This function is used internally by c-ares for configuration purposes, which would require an administrator to configure such an address via ares set sortlist(). However, users may externally use ares inet net pton() for other purposes, making them vulnerable to more severe issues.Recommendations
For versions prior to 1.19.1, update to version 1.19.1 to resolve the issue. As a temporary workaround, consider restricting the use of the
ares inet net pton() function for external purposes until the update is applied. Additionally, avoid using the ares set sortlist() function to configure IPv6 addresses that may cause the buffer underflow issue.Exploit
Fix
DoS
Memory Corruption
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Almalinux
Astra Linux
Centos
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu
C-Ares