Use-After-Free and Double-Free Vulnerability in c-ares Library by Haxx
CVE-2020-14354

3.3LOW

Key Information:

Vendor: C-ares
Status: C-ares
Vendor: CVE Published:; 13 May 2021

What is CVE-2020-14354?

A potential use-after-free and double-free vulnerability exists in the c-ares library version 1.16.0. This issue can occur if the ares_destroy() function is executed prior to the ares_getaddrinfo() function completing. An attacker can exploit this flaw, leading to instability and possible crashes in any service utilizing the c-ares library, thereby impacting service availability. It is crucial for system administrators and developers using this library to review their implementations and apply necessary updates to mitigate the risk of service disruption.

Affected Version(s)

c-ares c-ares 1.16.1

References

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisoryx_refsource_FEDORA

https://bugzilla.redhat.com/show_bug.cgi?id=1866838

x_refsource_MISC

https://packetstormsecurity.com/files/158755/GS2020080414...

x_refsource_MISC

CVSS V3.1

Score:

3.3

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2021
Vulnerability Reserved
Jun 17, 2020

C-ares

What is CVE-2020-14354?

Affected Version(s)

References

CVSS V3.1

Timeline