CVE-2023-31130 MEDIUM

CVE-2023-31130: Buffer Underwrite in ares_inet_net_pton()

Vendor C-Ares
Product c-ares
Weakness CWE-124
Published May 25, 2023
Last update February 13, 2025

CVSS base score

4.1/10
Attack vector Local
Attack complexity High
Privileges required High
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.

Key dates

02Disclosure timeline

May 25, 2023 CVE published
February 13, 2025 Record updated