When a string is passed in to ares_create_query or ares_mkquery and uses an escaped trailing dot, like "hello\.", c-ares calculates the string length wrong and subsequently writes outside of the allocated buffer with one byte. The wrongly written byte is the least significant byte of the "dnsclass" argument; most commonly 1.Proof of concept code have showed how this can be exploited in a real-world system, but we are not aware of any exploits having actually happened in the wild. Affected versions: c-ares 1.0.0 to and including 1.11.0 Fixed In Version: c-ares 1.12.0.