CVE-2024-25629

c-ares is a C library for asynchronous DNS requests. ares__read_line() is used to parse local configuration files such as /etc/resolv.conf, /etc/nsswitch.conf, the HOSTALIASES file, and if using a c-ares version prior to 1.27.0, the /etc/hosts file. If any of these configuration files has an embedded NULL character as the first character in a new line, it can lead to attempting to read memory prior to the start of the given buffer which may result in a crash. This issue is fixed in c-ares 1.27.0. No known workarounds exist.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/25xxx/CVE-2024-25629.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-127"
    ]
}

References

Affected packages

Git / github.com/c-ares/c-ares

Affected ranges

Type

GIT

Repo

https://github.com/c-ares/c-ares

Events

Introduced

Fixed

9eb57f2c8beb4e8af590992e56182c0788b9ce0b

Fixed

a804c04ddc8245fc8adf0e92368709639125e183

Database specific

{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.27.0"
        }
    ],
    "cpe": "cpe:2.3:a:c-ares:c-ares:*:*:*:*:*:*:*:*",
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

Other

c-ares-1_17_0

c-ares-1_2_0

cares-1_10_0

cares-1_11_0

cares-1_11_0-rc1

cares-1_12_0

cares-1_13_0

cares-1_14_0

cares-1_15_0

cares-1_16_0

cares-1_16_1

cares-1_17_1

cares-1_17_2

cares-1_18_0

cares-1_18_1

cares-1_19_0

cares-1_19_1

cares-1_1_0

cares-1_20_0

cares-1_20_1

cares-1_21_0

cares-1_22_0

cares-1_22_1

cares-1_23_0

cares-1_24_0

cares-1_25_0

cares-1_26_0

cares-1_2_1

cares-1_3_1

cares-1_3_2

cares-1_4_0

cares-1_5_0

cares-1_5_1

cares-1_5_2

cares-1_5_3

cares-1_6_0

cares-1_7_0

cares-1_7_1

cares-1_7_2

cares-1_7_3

cares-1_7_4

cares-1_7_5

cares-1_8_0

cares-1_9_0

cares-1_9_1

curl-7_10_8

curl-7_11_0

curl-7_11_1

curl-7_12_0

curl-7_12_1

curl-7_12_2

curl-7_13_0

curl-7_13_1

curl-7_13_2

curl-7_14_0

curl-7_14_1

curl-7_15_0

curl-7_15_1

curl-7_15_3

curl-7_15_4

curl-7_15_5

curl-7_15_6-prepipeline

curl-7_16_0

curl-7_16_1

curl-7_16_2

curl-7_16_3

curl-7_16_4

curl-7_17_0

curl-7_17_1

curl-7_18_0

curl-7_18_1

curl-7_18_2

curl-7_19_0

curl-7_19_2

curl-7_19_3

curl-7_19_4

curl-7_19_5

curl-7_19_6

curl-7_19_7

curl-7_20_0

Database specific

vanir_signatures_modified

"2026-06-15T21:04:22Z"

vanir_signatures

[
    {
        "digest": {
            "function_hash": "57112257550967704162705773570935872858",
            "length": 761.0
        },
        "signature_version": "v1",
        "id": "CVE-2024-25629-1f2cd1f1",
        "signature_type": "Function",
        "deprecated": false,
        "target": {
            "file": "src/lib/ares__read_line.c",
            "function": "ares__read_line"
        },
        "source": "https://github.com/c-ares/c-ares/commit/a804c04ddc8245fc8adf0e92368709639125e183"
    },
    {
        "digest": {
            "line_hashes": [
                "182071347134682389267543468916879866151",
                "172976239659837282304687908239947502217",
                "265973271304584275805104067973476691766",
                "308893332016198751064638464970499917241"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "id": "CVE-2024-25629-5aa2ab7e",
        "signature_type": "Line",
        "deprecated": false,
        "target": {
            "file": "src/lib/ares__read_line.c"
        },
        "source": "https://github.com/c-ares/c-ares/commit/a804c04ddc8245fc8adf0e92368709639125e183"
    }
]

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-25629.json"