CVE-2016-5180

CRITICAL EPSS 94.4%
Published Oct 3, 20169y ago · Modified Jun 17, 20262w ago
9.8 CVSS 3.1
Critical
Find Similar
Published Oct 3, 2016 9y ago
Last Modified Jun 17, 2026 2w ago

Description

Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot.

CVSS Details

Base Score
9.8
Exploitability
3.9
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
94.4% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-787 Out-of-bounds Write Memory Safety

Affected Products 32

VendorProductVersionRange
c-aresc-ares1.0.0any
c-aresc-ares1.1.0any
c-aresc-ares1.2.0any
c-aresc-ares1.2.1any
c-aresc-ares1.3.0any
c-aresc-ares1.3.1any
c-aresc-ares1.3.2any
c-aresc-ares1.4.0any
c-aresc-ares1.5.0any
c-aresc-ares1.5.1any
c-aresc-ares1.5.2any
c-aresc-ares1.5.3any
c-aresc-ares1.6.0any
c-aresc-ares1.7.0any
c-aresc-ares1.7.1any
c-aresc-ares1.7.2any
c-aresc-ares1.7.3any
c-aresc-ares1.7.4any
c-aresc-ares1.7.5any
c-aresc-ares1.8.0any
c-aresc-ares1.9.0any
c-aresc-ares1.9.1any
c-aresc-ares1.10.0any
c-ares_projectc-ares1.11.0any
debiandebian_linux8.0any
nodejsnode.js*≥0.10.0  –  <0.10.48
nodejsnode.js*≥0.12.0  –  <0.12.17
nodejsnode.js*≥4.0.0  –  <4.6.1
canonicalubuntu_linux12.04any
canonicalubuntu_linux14.04any
canonicalubuntu_linux16.04any
canonicalubuntu_linux16.10any

References 9

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.