{"id":"CVE-2024-25629","summary":"c-ares out of bounds read in ares__read_line()","details":"c-ares is a C library for asynchronous DNS requests. `ares__read_line()` is used to parse local configuration files such as `/etc/resolv.conf`, `/etc/nsswitch.conf`, the `HOSTALIASES` file, and if using a c-ares version prior to 1.27.0, the `/etc/hosts` file. If any of these configuration files has an embedded `NULL` character as the first character in a new line, it can lead to attempting to read memory prior to the start of the given buffer which may result in a crash. This issue is fixed in c-ares 1.27.0. No known workarounds exist.","aliases":["GHSA-mg26-v6qh-x48q"],"modified":"2026-04-02T10:07:54.080025Z","published":"2024-02-23T14:52:24.967Z","related":["ALSA-2024:2778","ALSA-2024:2779","ALSA-2024:2780","ALSA-2024:2853","ALSA-2024:2910","ALSA-2024:3842","ALSA-2024:4249","CGA-fw55-q4p4-jvq2","MGASA-2024-0051","SUSE-SU-2024:1135-1","SUSE-SU-2024:1136-1","SUSE-SU-2024:1136-2","openSUSE-SU-2024:13722-1"],"database_specific":{"cwe_ids":["CWE-127"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/25xxx/CVE-2024-25629.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2P76QYINQNPEHUTEEDOUYIRZ2X6UVZ5K/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CSCMTSPDIE2UHU34TIXQQHZ6JTE3Y3VF/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX37LFPFQ3T6FFMMFYQTEGIQXXN7F27U/"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/25xxx/CVE-2024-25629.json"},{"type":"ADVISORY","url":"https://github.com/c-ares/c-ares/security/advisories/GHSA-mg26-v6qh-x48q"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-25629"},{"type":"FIX","url":"https://github.com/c-ares/c-ares/commit/a804c04ddc8245fc8adf0e92368709639125e183"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/c-ares/c-ares","events":[{"introduced":"0"},{"fixed":"9eb57f2c8beb4e8af590992e56182c0788b9ce0b"}]}],"versions":["c-ares-1_17_0","c-ares-1_2_0","cares-1_10_0","cares-1_11_0","cares-1_11_0-rc1","cares-1_12_0","cares-1_13_0","cares-1_14_0","cares-1_15_0","cares-1_16_0","cares-1_16_1","cares-1_17_1","cares-1_17_2","cares-1_18_0","cares-1_18_1","cares-1_19_0","cares-1_19_1","cares-1_1_0","cares-1_20_0","cares-1_20_1","cares-1_21_0","cares-1_22_0","cares-1_22_1","cares-1_23_0","cares-1_24_0","cares-1_25_0","cares-1_26_0","cares-1_2_1","cares-1_3_1","cares-1_3_2","cares-1_4_0","cares-1_5_0","cares-1_5_1","cares-1_5_2","cares-1_5_3","cares-1_6_0","cares-1_7_0","cares-1_7_1","cares-1_7_2","cares-1_7_3","cares-1_7_4","cares-1_7_5","cares-1_8_0","cares-1_9_0","cares-1_9_1","curl-7_10_8","curl-7_11_0","curl-7_11_1","curl-7_12_0","curl-7_12_1","curl-7_12_2","curl-7_13_0","curl-7_13_1","curl-7_13_2","curl-7_14_0","curl-7_14_1","curl-7_15_0","curl-7_15_1","curl-7_15_3","curl-7_15_4","curl-7_15_5","curl-7_15_6-prepipeline","curl-7_16_0","curl-7_16_1","curl-7_16_2","curl-7_16_3","curl-7_16_4","curl-7_17_0","curl-7_17_1","curl-7_18_0","curl-7_18_1","curl-7_18_2","curl-7_19_0","curl-7_19_2","curl-7_19_3","curl-7_19_4","curl-7_19_5","curl-7_19_6","curl-7_19_7","curl-7_20_0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-25629.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"}]}