c-ares vulnerabilities
This is all known and public c-ares vulnerabilities to date. See also our security incident process.

CVE-2021-3672 - August 10 2021

Missing input validation on hostnames returned by DNS servers

CVE-2017-1000381 - June 20 2017

NAPTR parser out of bounds access

CVE-2016-5180 - Sep 29 2016

ares_create_query single byte out of buffer write

CVE-2007-3153 - Jun 8 2007

The ares_init:randomize_key function uses the rand command to produce random numbers. A remote attacker could exploit this vulnerability to possibly spoof hostnames and addresses in the DNS cache. project advisory.

For unknown reasons, it seems CVE-2007-3152 is also often used to refer to this same issue.

This flaw was fixed in 1.4.0.