Skip to main content

mtr CVE-2026-14461

| EUVDEUVD-2026-42866 MEDIUM
Out-of-bounds Read (CWE-125)
2026-07-10 cvd@cert.pl GHSA-58vq-325m-3wrj
5.1
CVSS 4.0 · Vendor: cert
Share

Severity by source

Vendor (cert) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.1 LOW

DNS response interception requires attacker network positioning (AC:H); user must actively run mtr (UI:R); only mtr process crashes, no confidentiality or integrity impact.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L
4.0 AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (cert).

CVSS VectorVendor: cert

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 10, 2026 - 11:31 vuln.today

DescriptionCVE.org

mtr is vulnerable to Out-of-bound read vulnerability in ipinfo_lookup() function. An attacker who can influence the TXT response used for AS lookups can trigger this bug by returning a DNS response that is larger than 512 bytes and uses a crafted compression pointer in the answer NAME field. ipinfo_lookup() function uses the length of the response as the end-of-message boundary for dn_expand() function. The result is a reliable crash.

This issue exists in the mtr through version 0.96 and it was fixed in commit 48e1794414d338ce47abc0f27c25ade8788af9c3.

AnalysisAI

Out-of-bounds read in mtr's ipinfo_lookup() function allows a DNS-layer attacker to reliably crash the tool by serving a crafted TXT response during AS-number lookups. mtr through version 0.96 is affected; the root cause is that dn_expand() receives the total response length as its boundary argument rather than the safe, validated packet end - so a >512-byte response carrying a malicious compression pointer in the answer NAME field directs the read past the buffer. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker intercepts or spoofs DNS on victim's network path
Delivery
Victim runs mtr with AS lookups enabled
Exploit
mtr issues DNS TXT query for AS-number resolution
Execution
Attacker returns >512-byte response with crafted compression pointer in NAME field
Persist
dn_expand() follows pointer past buffer boundary
Impact
Out-of-bounds read triggers reliable mtr process crash

Vulnerability AssessmentAI

Exploitation Two conditions must hold simultaneously: (1) the victim must actively run mtr with AS-number lookup functionality enabled - this is what triggers the ipinfo_lookup() code path; if mtr is invoked without --aslookup or equivalent, the vulnerable function is never called; and (2) the attacker must be able to influence or control the DNS TXT response mtr receives for AS queries - this requires network-level positioning such as ARP poisoning, operating a rogue DNS resolver, BGP route manipulation, or compromising an upstream nameserver. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.1 (Medium) is well-calibrated: UI:A correctly reflects that the victim must actively invoke mtr, and VA:L captures the limited blast radius of a single-process crash with no confidentiality or integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker performing a DNS MITM attack - for example via ARP spoofing on a shared network segment, operating a rogue Wi-Fi access point, or controlling an upstream resolver - intercepts mtr's AS-lookup TXT query and responds with a packet exceeding 512 bytes that embeds a crafted DNS compression pointer in the answer NAME field. When the victim subsequently runs mtr against any target host with AS lookups active, ipinfo_lookup() processes the malicious response and dn_expand() reads out-of-bounds memory, causing mtr to crash reliably. …
Remediation The upstream fix is available as commit 48e1794414d338ce47abc0f27c25ade8788af9c3 in the traviscross/mtr GitHub repository (https://github.com/traviscross/mtr/commit/48e1794414d338ce47abc0f27c25ade8788af9c3); users should rebuild mtr from this commit or await a tagged release and a patched distribution package. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-14461 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy