vulnerability

Arch Linux: Arbitrary code execution (CVE-2017-15650)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
5	(AV:N/AC:L/Au:N/C:N/I:N/A:P)	Oct 19, 2017	Jul 11, 2025	Nov 27, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:N/I:N/A:P)

Published

Oct 19, 2017

Added

Jul 11, 2025

Modified

Nov 27, 2025

Description

A stack-based buffer overflow has been found in the DNS response parsing code of musl libc <= 1.1.16. When an application makes a request via getaddrinfo for both IPv4 and IPv6 results (AF_UNSPEC), an attacker who controls or can spoof the nameservers configured in resolv.conf can reply to both the A and AAAA queries with A results. Since A records are smaller than AAAA records, it's possible to fit more addresses than the precomputed bound, and a buffer overflow occurs.

Solution

arch-linux-upgrade-latest

References

CVE-2017-15650
https://attackerkb.com/topics/CVE-2017-15650
URL-http://git.musl-libc.org/cgit/musl/commit/?id=45ca5d3fcb6f874bf5ba55d0e9651cef68515395
URL-http://git.musl-libc.org/cgit/musl/tree/WHATSNEW
URL-http://openwall.com/lists/oss-security/2017/10/19/5
URL-https://security.archlinux.org/ASA-201710-28
CWE-119

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today