CVE-2026-14461 in mtr
Summary
by MITRE • 07/10/2026
mtr is vulnerable to Out-of-bound read vulnerability in ipinfo_lookup() function. An attacker who can influence the TXT response used for AS lookups can trigger this bug by returning a DNS response that is larger than 512 bytes and uses a crafted compression pointer in the answer NAME field. ipinfo_lookup() function uses the length of the response as the end-of-message boundary for dn_expand() function. The result is a reliable crash.
This issue exists in the mtr through version 0.96 and it was fixed in commit 48e1794414d338ce47abc0f27c25ade8788af9c3.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/10/2026
The mtr utility contains a critical out-of-bounds read vulnerability within the ipinfo_lookup() function that stems from improper handling of DNS response message boundaries during domain name expansion operations. This vulnerability manifests when processing TXT responses used for AS lookups and represents a classic buffer over-read condition that can be reliably triggered by maliciously crafted DNS responses. The flaw exists in mtr versions through 0.96 and was subsequently addressed in commit 48e1794414d338ce47abc0f27c25ade8788af9c3, demonstrating the importance of proper input validation in network utilities that process external DNS data.
The technical root cause involves the ipinfo_lookup() function's incorrect use of response length as the end-of-message boundary parameter for the dn_expand() function call. When a DNS response exceeds 512 bytes and contains crafted compression pointers within the answer NAME field, the function fails to properly validate the message boundaries before attempting domain name expansion. This misconfiguration allows an attacker to manipulate the parsing logic such that dn_expand() attempts to read beyond the allocated buffer space, resulting in a reliable crash condition. The vulnerability specifically exploits the DNS protocol's compression mechanism where pointers within domain names can reference previously encountered labels, but the mtr utility does not properly validate these pointer references against the actual response boundaries.
The operational impact of this vulnerability extends beyond simple crash conditions to represent a potential denial-of-service vector that could be exploited in network monitoring and diagnostic environments where mtr is commonly deployed. Attackers with control over DNS resolvers or network traffic interception capabilities can craft malicious responses to trigger this condition, potentially causing service disruptions for network administrators who rely on mtr for connectivity diagnostics and network troubleshooting. The vulnerability affects systems running vulnerable versions of mtr across various network monitoring scenarios where DNS lookups are performed, including automated network health checks and real-time connectivity assessments.
This vulnerability aligns with CWE-129: Improper Validation of Array Index and CWE-787: Out-of-bounds Write or Read, representing a classic buffer management issue where bounds checking fails during string parsing operations. From an attack framework perspective, this vulnerability maps to ATT&CK technique T1071.004: Application Layer Protocol: DNS within the Command and Control category, as it enables malicious actors to manipulate network diagnostic tools through DNS response manipulation. The exploitability is enhanced by the fact that the crash is reliable and can be triggered through standard network communication channels without requiring special privileges or complex attack chains.
Mitigation strategies should focus on immediate patching of affected mtr installations to version containing the fix, along with implementing network monitoring to detect anomalous DNS responses that might indicate attempted exploitation. Network administrators should also consider implementing DNS response validation mechanisms and rate limiting for DNS queries to reduce the attack surface. Additionally, organizations using mtr in automated environments should validate DNS response handling logic and implement proper input sanitization before processing external DNS data to prevent similar vulnerabilities from manifesting in other components of their network monitoring infrastructure.