{"id":"CVE-2022-4904","details":"A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.","modified":"2026-04-16T00:03:30.288121277Z","published":"2023-03-06T23:15:11.390Z","related":["ALSA-2023:1582","ALSA-2023:1743","ALSA-2023:2654","ALSA-2023:2655","ALSA-2023:4035","ALSA-2023:6635","ALSA-2023:7116","SUSE-SU-2023:0486-1","SUSE-SU-2023:3420-1","openSUSE-SU-2024:12674-1"],"database_specific":{"unresolved_ranges":[{"source":"CPE_FIELD","extracted_events":[{"last_affected":"36"}],"cpe":"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"8.0"}],"cpe":"cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"9.0"}],"cpe":"cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*"}]},"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33LDNS6RPOPP36Z4MPWXALUQZXJCWJS2/"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202401-02"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2168631"},{"type":"REPORT","url":"https://github.com/c-ares/c-ares/issues/496"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/c-ares/c-ares","events":[{"introduced":"0"},{"fixed":"fddf01938d3789e06cc1c3774e4cd0c7d2a89976"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"fixed":"1.19.0"}],"cpe":"cpe:2.3:a:c-ares_project:c-ares:*:*:*:*:*:*:*:*"}}],"versions":["c-ares-1_17_0","c-ares-1_2_0","cares-1_10_0","cares-1_11_0","cares-1_11_0-rc1","cares-1_12_0","cares-1_13_0","cares-1_14_0","cares-1_15_0","cares-1_16_0","cares-1_16_1","cares-1_17_1","cares-1_17_2","cares-1_18_0","cares-1_18_1","cares-1_1_0","cares-1_2_1","cares-1_3_1","cares-1_3_2","cares-1_4_0","cares-1_5_0","cares-1_5_1","cares-1_5_2","cares-1_5_3","cares-1_6_0","cares-1_7_0","cares-1_7_1","cares-1_7_2","cares-1_7_3","cares-1_7_4","cares-1_7_5","cares-1_8_0","cares-1_9_0","cares-1_9_1","curl-7_10_8","curl-7_11_0","curl-7_11_1","curl-7_12_0","curl-7_12_1","curl-7_12_2","curl-7_13_0","curl-7_13_1","curl-7_13_2","curl-7_14_0","curl-7_14_1","curl-7_15_0","curl-7_15_1","curl-7_15_3","curl-7_15_4","curl-7_15_5","curl-7_15_6-prepipeline","curl-7_16_0","curl-7_16_1","curl-7_16_2","curl-7_16_3","curl-7_16_4","curl-7_17_0","curl-7_17_1","curl-7_18_0","curl-7_18_1","curl-7_18_2","curl-7_19_0","curl-7_19_2","curl-7_19_3","curl-7_19_4","curl-7_19_5","curl-7_19_6","curl-7_19_7","curl-7_20_0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-4904.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H"}]}