Headline
CVE-2020-22217: read-heap-buffer-overflow in ares_parse_soa_reply() · Issue #333 · c-ares/c-ares
Buffer overflow vulnerability in c-ares before 1_16_1 thru 1_17_0 via function ares_parse_soa_reply in ares_parse_soa_reply.c.
If this is, indeed, an OOB read, then NVD scored incorrectly in this case. That said, I am not defending NVD as they frequently do not score correctly. That said, I want to point out that one part of CVSS specs says to "Score for the worst". That is one thing that leads to many v2 10 / v3 9.8 scores, especially when a vendor says e.g. "Vulnerability fixed". Without details orgs are forced to score like that, which may be artificially high of course.
Related news
Red Hat Security Advisory 2023-7207-01
Red Hat Security Advisory 2023-7207-01 - An update for c-ares is now available for Red Hat Enterprise Linux 8. Issues addressed include a buffer over-read vulnerability.