Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
DNS response interception requires attacker network positioning (AC:H); user must actively run mtr (UI:R); only mtr process crashes, no confidentiality or integrity impact.
Primary rating from Vendor (cert).
CVSS VectorVendor: cert
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
mtr is vulnerable to Out-of-bound read vulnerability in ipinfo_lookup() function. An attacker who can influence the TXT response used for AS lookups can trigger this bug by returning a DNS response that is larger than 512 bytes and uses a crafted compression pointer in the answer NAME field. ipinfo_lookup() function uses the length of the response as the end-of-message boundary for dn_expand() function. The result is a reliable crash.
This issue exists in the mtr through version 0.96 and it was fixed in commit 48e1794414d338ce47abc0f27c25ade8788af9c3.
AnalysisAI
Out-of-bounds read in mtr's ipinfo_lookup() function allows a DNS-layer attacker to reliably crash the tool by serving a crafted TXT response during AS-number lookups. mtr through version 0.96 is affected; the root cause is that dn_expand() receives the total response length as its boundary argument rather than the safe, validated packet end - so a >512-byte response carrying a malicious compression pointer in the answer NAME field directs the read past the buffer. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Two conditions must hold simultaneously: (1) the victim must actively run mtr with AS-number lookup functionality enabled - this is what triggers the ipinfo_lookup() code path; if mtr is invoked without --aslookup or equivalent, the vulnerable function is never called; and (2) the attacker must be able to influence or control the DNS TXT response mtr receives for AS queries - this requires network-level positioning such as ARP poisoning, operating a rogue DNS resolver, BGP route manipulation, or compromising an upstream nameserver. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 5.1 (Medium) is well-calibrated: UI:A correctly reflects that the victim must actively invoke mtr, and VA:L captures the limited blast radius of a single-process crash with no confidentiality or integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker performing a DNS MITM attack - for example via ARP spoofing on a shared network segment, operating a rogue Wi-Fi access point, or controlling an upstream resolver - intercepts mtr's AS-lookup TXT query and responds with a packet exceeding 512 bytes that embeds a crafted DNS compression pointer in the answer NAME field. When the victim subsequently runs mtr against any target host with AS lookups active, ipinfo_lookup() processes the malicious response and dn_expand() reads out-of-bounds memory, causing mtr to crash reliably. … |
| Remediation | The upstream fix is available as commit 48e1794414d338ce47abc0f27c25ade8788af9c3 in the traviscross/mtr GitHub repository (https://github.com/traviscross/mtr/commit/48e1794414d338ce47abc0f27c25ade8788af9c3); users should rebuild mtr from this commit or await a tagged release and a patched distribution package. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42866
GHSA-58vq-325m-3wrj