Resource exhaustion in c-ares - #VU137035
Published: July 7, 2026
c-ares
Detailed vulnerability description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in the DNS response parser when parsing DNS responses. A remote attacker can send a specially crafted DNS response with forged header record counts to cause a denial of service.
The issue is triggered before transaction-ID validation or question matching, and sustained exploitation is required to produce allocator pressure that degrades availability.