CVE-2022-4904

HIGH
Published Mar 6, 20233y ago · Modified Jun 17, 20262w ago
8.6 CVSS 3.1
High
Find Similar
Published Mar 6, 2023 3y ago
Last Modified Jun 17, 2026 2w ago

Description

A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.

CVSS Details

Base Score
8.6
Exploitability
3.9
Impact
4.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity Low
Availability High

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 2

CWE-1284
CWE-20 Improper Input Validation Validation

Affected Products 5

VendorProductVersionRange
c-ares_projectc-ares* <1.19.0
redhatsoftware_collections*any
redhatenterprise_linux8.0any
redhatenterprise_linux9.0any
fedoraprojectfedora36any

References 4

  • bugzilla.redhat.com https://bugzilla.redhat.com/show_bug.cgi?id=2168631
    Issue TrackingThird Party Advisory
  • github.com https://github.com/c-ares/c-ares/issues/496
    ExploitIssue Tracking
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33LDNS6RPOPP36Z4MPWXALUQZXJCWJS2/
  • security.gentoo.org https://security.gentoo.org/glsa/202401-02

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.