CVE-2020-14354

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2020-14354
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-14354.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-14354
Downstream
Published
2021-05-13T14:15:17.503Z
Modified
2026-04-11T21:19:52.436998Z
Severity
  • 3.3 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
[none]
Details

A possible use-after-free and double-free in c-ares lib version 1.16.0 if aresdestroy() is called prior to aresgetaddrinfo() completing. This flaw possibly allows an attacker to crash the service that uses c-ares lib. The highest threat from this vulnerability is to this service availability.

References

Affected packages

Git / github.com/c-ares/c-ares

Affected ranges

Type
GIT
Repo
https://github.com/c-ares/c-ares
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
077a587dccbe2f0d8a1987fbd3525333705c2249
Fixed
1cc7e83c3bdfaafbc5919c95025592d8de3a170e
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.16.0"
        }
    ]
}

Affected versions

Other
c-ares-1_2_0
cares-1_10_0
cares-1_11_0
cares-1_11_0-rc1
cares-1_12_0
cares-1_13_0
cares-1_14_0
cares-1_15_0
cares-1_16_0
cares-1_1_0
cares-1_2_1
cares-1_3_1
cares-1_3_2
cares-1_4_0
cares-1_5_0
cares-1_5_1
cares-1_5_2
cares-1_5_3
cares-1_6_0
cares-1_7_0
cares-1_7_1
cares-1_7_2
cares-1_7_3
cares-1_7_4
cares-1_7_5
cares-1_8_0
cares-1_9_0
cares-1_9_1
curl-7_10_8
curl-7_11_0
curl-7_11_1
curl-7_12_0
curl-7_12_1
curl-7_12_2
curl-7_13_0
curl-7_13_1
curl-7_13_2
curl-7_14_0
curl-7_14_1
curl-7_15_0
curl-7_15_1
curl-7_15_3
curl-7_15_4
curl-7_15_5
curl-7_15_6-prepipeline
curl-7_16_0
curl-7_16_1
curl-7_16_2
curl-7_16_3
curl-7_16_4
curl-7_17_0
curl-7_17_1
curl-7_18_0
curl-7_18_1
curl-7_18_2
curl-7_19_0
curl-7_19_2
curl-7_19_3
curl-7_19_4
curl-7_19_5
curl-7_19_6
curl-7_19_7
curl-7_20_0

Database specific

vanir_signatures_modified 
"2026-04-11T21:19:52Z"
vanir_signatures 
[
    {
        "id": "CVE-2020-14354-0943984d",
        "target": {
            "function": "host_callback",
            "file": "ares_getaddrinfo.c"
        },
        "digest": {
            "function_hash": "41641729463172895225490036612231902270",
            "length": 625.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://github.com/c-ares/c-ares/commit/1cc7e83c3bdfaafbc5919c95025592d8de3a170e",
        "signature_version": "v1"
    },
    {
        "id": "CVE-2020-14354-61d1432b",
        "target": {
            "file": "ares_getaddrinfo.c"
        },
        "digest": {
            "line_hashes": [
                "188514934666865950876588083814903200380",
                "216654447602516332471211556636820849519",
                "280935007277571070082878613853237796717",
                "123115424187489169459219809240179726727"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_type": "Line",
        "source": "https://github.com/c-ares/c-ares/commit/1cc7e83c3bdfaafbc5919c95025592d8de3a170e",
        "signature_version": "v1"
    }
]
source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-14354.json"
unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "33"
            }
        ]
    }
]