Inefficient Algorithmic Complexity in c-ares - #VU137034
Published: July 7, 2026
c-ares
Detailed vulnerability description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to inefficient algorithmic complexity in ares_dns_name_parse() when parsing crafted DNS responses with unbounded compression pointer chains. A remote attacker can send a specially crafted DNS response to cause a denial of service.
Because c-ares runs on a single-threaded event loop, parsing a crafted response can stall all resolution for the duration.