CVE-2026-14461
Received Received - Intake

Out-of-Bound Read in mtr Network Diagnostic Tool

Vulnerability report for CVE-2026-14461, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: CERT.PL

Description

mtr is vulnerable to Out-of-bound read vulnerability in ipinfo_lookup() function. An attacker who can influence the TXT response used for AS lookups can trigger this bug by returning a DNS response that is larger than 512 bytes and uses a crafted compression pointer in the answer NAME field. ipinfo_lookup() function uses the length of the response as the end-of-message boundary for dn_expand() function. The result is a reliable crash. This issue exists in the mtr through version 0.96 and it was fixed in commit 48e1794414d338ce47abc0f27c25ade8788af9c3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
bitwizard mtr to 0.96 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability can cause the mtr application to crash reliably when processing maliciously crafted DNS responses.

An attacker who can manipulate the DNS TXT response for AS lookups can trigger this crash, potentially leading to denial of service conditions for users relying on mtr for network diagnostics.

Mitigation Strategies

The immediate mitigation step is to update the mtr software to a version that includes the fix from commit 48e1794414d338ce47abc0f27c25ade8788af9c3, which addresses the vulnerability by adding a boundary check on the DNS response length.

If updating is not immediately possible, avoid using mtr for AS lookups or restrict DNS responses to sizes below 512 bytes to prevent triggering the out-of-bound read.

Detection Guidance

This vulnerability causes a reliable crash in the mtr tool when it processes a specially crafted DNS TXT response larger than 512 bytes with compression pointers. Detection can involve monitoring for crashes or abnormal behavior of the mtr utility during AS lookups.

Since the issue is triggered by DNS responses used in AS lookups, you can attempt to reproduce the crash by sending DNS TXT queries that return large responses with crafted compression pointers to the system running mtr.

No specific detection commands are provided in the available resources.

Executive Summary

CVE-2026-14461 is an out-of-bounds read vulnerability in the mtr software, specifically in the ipinfo_lookup() function.

The vulnerability occurs when an attacker influences the TXT DNS response used for Autonomous System (AS) lookups by returning a DNS response larger than 512 bytes with a specially crafted compression pointer in the answer NAME field.

Because ipinfo_lookup() uses the length of the response as the end-of-message boundary for the dn_expand() function, this crafted response causes dn_expand() to read beyond the intended buffer, leading to a reliable crash.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14461. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart