Description
mtr is vulnerable to Out-of-bound read vulnerability in ipinfo_lookup() function. An attacker who can influence the TXT response used for AS lookups can trigger this bug by returning a DNS response that is larger than 512 bytes and uses a crafted compression pointer in the answer NAME field. ipinfo_lookup() function uses the length of the response as the end-of-message boundary for dn_expand() function. The result is a reliable crash. This issue exists in the mtr through version 0.96 and it was fixed in commit 48e1794414d338ce47abc0f27c25ade8788af9c3.
Problem types
Product status
Any version
Credits
Michał Majchrowicz (AFINE Team)
Marcin Wyczechowski (AFINE Team)
References
cert.pl/en/posts/2026/07/CVE-2026-14461
github.com/...ommit/48e1794414d338ce47abc0f27c25ade8788af9c3