CVE-2024-25629
MEDIUMDescription
c-ares is a C library for asynchronous DNS requests. `ares__read_line()` is used to parse local configuration files such as `/etc/resolv.conf`, `/etc/nsswitch.conf`, the `HOSTALIASES` file, and if using a c-ares version prior to 1.27.0, the `/etc/hosts` file. If any of these configuration files has an embedded `NULL` character as the first character in a new line, it can lead to attempting to read memory prior to the start of the given buffer which may result in a crash. This issue is fixed in c-ares 1.27.0. No known workarounds exist.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| c-ares | c-ares |
| fedoraproject | fedora |
| fedoraproject | fedora |
| fedoraproject | fedora |
References
Advisories & Patches
Other References
Frequently Asked Questions
What is CVE-2024-25629? +
How severe is CVE-2024-25629? +
What products are affected by CVE-2024-25629? +
How do I check if I'm vulnerable to CVE-2024-25629? +
Related Vulnerabilities
No proper validation of the length of user input in http_server_get_content_type_from_extension.
Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between …
Multiple Cisco products are affected by a vulnerability in the Snort 3 HTTP Decoder that could allow an unauthenticated, remote …
A flaw was found in libsoup. The libsoup append_param_quoted() function may contain an overflow bug resulting in a buffer under-read.
OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, the Java TLS ioctl probe …
c-ares is an asynchronous resolver library. Versions 1.32.3 through 1.34.5 terminate a query after maximum attempts when using read_answer() and …