CVE-2016-5180
CRITICAL EPSS 94.4%
Published Oct 3, 20169y ago · Modified Jun 17, 20262w ago
9.8 CVSS 3.1
Published Oct 3, 2016 9y ago
Last Modified Jun 17, 2026 2w ago
Description
Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High
Threat Intelligence
EPSS Exploit Probability
94.4% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 1
CWE-787 Out-of-bounds Write Memory Safety
Affected Products 32
| Vendor | Product | Version | Range |
|---|---|---|---|
| c-ares | c-ares | 1.0.0 | any |
| c-ares | c-ares | 1.1.0 | any |
| c-ares | c-ares | 1.2.0 | any |
| c-ares | c-ares | 1.2.1 | any |
| c-ares | c-ares | 1.3.0 | any |
| c-ares | c-ares | 1.3.1 | any |
| c-ares | c-ares | 1.3.2 | any |
| c-ares | c-ares | 1.4.0 | any |
| c-ares | c-ares | 1.5.0 | any |
| c-ares | c-ares | 1.5.1 | any |
| c-ares | c-ares | 1.5.2 | any |
| c-ares | c-ares | 1.5.3 | any |
| c-ares | c-ares | 1.6.0 | any |
| c-ares | c-ares | 1.7.0 | any |
| c-ares | c-ares | 1.7.1 | any |
| c-ares | c-ares | 1.7.2 | any |
| c-ares | c-ares | 1.7.3 | any |
| c-ares | c-ares | 1.7.4 | any |
| c-ares | c-ares | 1.7.5 | any |
| c-ares | c-ares | 1.8.0 | any |
| c-ares | c-ares | 1.9.0 | any |
| c-ares | c-ares | 1.9.1 | any |
| c-ares | c-ares | 1.10.0 | any |
| c-ares_project | c-ares | 1.11.0 | any |
| debian | debian_linux | 8.0 | any |
| nodejs | node.js | * | ≥0.10.0 – <0.10.48 |
| nodejs | node.js | * | ≥0.12.0 – <0.12.17 |
| nodejs | node.js | * | ≥4.0.0 – <4.6.1 |
| canonical | ubuntu_linux | 12.04 | any |
| canonical | ubuntu_linux | 14.04 | any |
| canonical | ubuntu_linux | 16.04 | any |
| canonical | ubuntu_linux | 16.10 | any |
References 9
- rhn.redhat.com http://rhn.redhat.com/errata/RHSA-2017-0002.html
- debian.org http://www.debian.org/security/2016/dsa-3682
- securityfocus.com http://www.securityfocus.com/bid/93243
- ubuntu.com http://www.ubuntu.com/usn/USN-3143-1
- c-ares.haxx.se https://c-ares.haxx.se/CVE-2016-5180.patch
- c-ares.haxx.se https://c-ares.haxx.se/adv_20160929.html
- googlechromereleases.blogspot.in https://googlechromereleases.blogspot.in/2016/09/stable-channel-updates-for-chrome-os.html
- security.gentoo.org https://security.gentoo.org/glsa/201701-28
- source.android.com https://source.android.com/security/bulletin/2017-01-01.html
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.