CVE-2026-14461 PUBLISHED

Out-of-bound read in mtr

Assigner: CERT-PL
Reserved: 02.07.2026 Published: 10.07.2026 Updated: 10.07.2026

mtr is vulnerable to Out-of-bound read vulnerability in ipinfo_lookup() function. An attacker who can influence the TXT response used for AS lookups can trigger this bug by returning a DNS response that is larger than 512 bytes and uses a crafted compression pointer in the answer NAME field. ipinfo_lookup() function uses the length of the response as the end-of-message boundary for dn_expand() function. The result is a reliable crash.

This issue exists in the mtr through version 0.96 and it was fixed in commit 48e1794414d338ce47abc0f27c25ade8788af9c3.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CVSS Score: 5.1

Product Status

Vendor BitWizard
Product mtr
Versions Default: unaffected
  • affected from 0 to 0.96 (incl.)

Credits

  • Michał Majchrowicz (AFINE Team) finder
  • Marcin Wyczechowski (AFINE Team) finder

References

Problem Types

  • CWE-125 Out-of-bounds read CWE

Impacts

  • CAPEC-540 Overread Buffers