CVE-2016-5180

CVE	CVE-2016-5180
State	PUBLISHED
Assigner	Chrome
Source Priority	CVE Program / NVD first with legacy fallback
Published	2016-10-03 15:59:03 UTC
Updated	2026-05-06 22:30:45 UTC
Description	Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot.

Primary CVSS: v3.1 9.8 CRITICAL from [email protected]

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem Types: CWE-787 | n/a

Version	Source	Type	Score	Severity	Vector
3.1	[email protected]	Primary	9.8	CRITICAL	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
2.0	[email protected]	Primary	7.5		`AV:N/AC:L/Au:N/C:P/I:P/A:P`

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Access Vector

Network

Access Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Type	Vendor	Product	Version	Update	Edition	Language
Application	C-ares	C-ares	1.0.0	All	All	All
Application	C-ares	C-ares	1.1.0	All	All	All
Application	C-ares	C-ares	1.10.0	All	All	All
Application	C-ares	C-ares	1.2.0	All	All	All
Application	C-ares	C-ares	1.2.1	All	All	All
Application	C-ares	C-ares	1.3.0	All	All	All
Application	C-ares	C-ares	1.3.1	All	All	All
Application	C-ares	C-ares	1.3.2	All	All	All
Application	C-ares	C-ares	1.4.0	All	All	All
Application	C-ares	C-ares	1.5.0	All	All	All
Application	C-ares	C-ares	1.5.1	All	All	All
Application	C-ares	C-ares	1.5.2	All	All	All
Application	C-ares	C-ares	1.5.3	All	All	All
Application	C-ares	C-ares	1.6.0	All	All	All
Application	C-ares	C-ares	1.7.0	All	All	All
Application	C-ares	C-ares	1.7.1	All	All	All
Application	C-ares	C-ares	1.7.2	All	All	All
Application	C-ares	C-ares	1.7.3	All	All	All
Application	C-ares	C-ares	1.7.4	All	All	All
Application	C-ares	C-ares	1.7.5	All	All	All
Application	C-ares	C-ares	1.8.0	All	All	All
Application	C-ares	C-ares	1.9.0	All	All	All
Application	C-ares	C-ares	1.9.1	All	All	All
Application	C-ares Project	C-ares	1.11.0	All	All	All
Operating System	Debian	Debian Linux	8.0	All	All	All
Application	Nodejs	Node.js	All	All	All	All

Source	Vendor	Product	Version	Platforms
CNA	Na	N/a	affected n/a	Not specified

Reference	Source	Link	Tags
C-ares CVE-2016-5180 Out of Bounds Write Denial of Service Vulnerability	af854a3a-2127-422b-91ae-364da2661108	www.securityfocus.com
USN-3143-1: c-ares vulnerability \| Ubuntu	af854a3a-2127-422b-91ae-364da2661108	www.ubuntu.com
Android Security Bulletin—January 2017 \| Android Open Source Project	af854a3a-2127-422b-91ae-364da2661108	source.android.com
c-ares.haxx.se/CVE-2016-5180.patch	af854a3a-2127-422b-91ae-364da2661108	c-ares.haxx.se
Debian -- Security Information -- DSA-3682-1 c-ares	af854a3a-2127-422b-91ae-364da2661108	www.debian.org
ares_create_query single byte out of buffer write	af854a3a-2127-422b-91ae-364da2661108	c-ares.haxx.se
Red Hat Customer Portal	af854a3a-2127-422b-91ae-364da2661108	rhn.redhat.com
Chrome Releases: Stable Channel Update for Chrome OS	af854a3a-2127-422b-91ae-364da2661108	googlechromereleases.blogspot.in
c-ares: Heap-based buffer overflow (GLSA 201701-28) — Gentoo security	af854a3a-2127-422b-91ae-364da2661108	security.gentoo.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

710452 Gentoo Linux c-ares Heap-based buffer overflow Vulnerability (GLSA 201701-28)