CVE-2022-4904

Advisory lineage Upstream: 0 Downstream: 22

Downstream

DEBIAN-CVE-2022-4904 DLA-3323-1 MGASA-2023-0069 OPENSUSE-SU-2024:12674-1 RHSA-2023:1533 RHSA-2023:1582

Modified

Published: 06 Mar 2023, 00:00

Last modified:02 Dec 2025, 20:25

Vulnerability Summary

Overall Risk (default)

medium

44/100

CVSS Score

8.6 HIGH

v3.1 (cve.org)

EPSS Score

0.16% LOW

0% probability -0.01%

KEV

Not listed

Ransomware

No reports

Public exploits

1 found

Dark Web

Not detected

Timeline

06 Mar 2023, 00:00

Published

Vulnerability first disclosed

02 Dec 2025, 20:25

Last Modified

Vulnerability information updated

Description

A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.

CVSS Metrics

v3.1•HIGH•Score: 8.6CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

EPSS Trends

Current EPSS score: 0.16%• Percentile: 37%

Techniques & Countermeasures

CWE-20•Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-1284•Improper Validation of Specified Quantity in Input
The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

Affected Systems

c-ares_project•c-ares
< 1.19.0
fedoraproject•fedora
36
redhat•enterprise_linux
8.0 | 9.0
redhat•software_collections
na