PatchSiren cyber security CVE debrief
CVE-2026-14461 BitWizard CVE debrief
The mtr package is vulnerable to an out-of-bound read issue in the ipinfo_lookup() function. An attacker can influence the TXT response used for AS lookups to trigger this bug by returning a DNS response larger than 512 bytes with a crafted compression pointer in the answer NAME field. The ipinfo_lookup() function uses the response length as the end-of-message boundary for the dn_expand() function, resulting in a reliable crash. This issue exists in mtr through version 0.96 and was fixed in commit 48e1794414d338ce47abc0f27c25ade8788af9c3.
- Vendor
- BitWizard
- Product
- mtr
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Users of the mtr package, particularly those who handle DNS responses, should be aware of this vulnerability. An attacker could potentially exploit this issue to cause a denial-of-service (DoS) attack by crashing the mtr service.
Technical summary
The mtr package is vulnerable to an out-of-bound read issue in the ipinfo_lookup() function. This function is used to perform AS lookups and can be triggered by an attacker who can influence the TXT response. The vulnerability exists because the ipinfo_lookup() function uses the length of the response as the end-of-message boundary for the dn_expand() function. An attacker can exploit this by returning a DNS response that is larger than 512 bytes and uses a crafted compression pointer in the answer NAME field, resulting in a reliable crash. This issue was fixed in commit 48e1794414d338ce47abc0f27c25ade8788af9c3.
Defensive priority
Medium
Recommended defensive actions
- Update the mtr package to version 0.97 or later
- Implement input validation and sanitization for DNS responses
- Monitor for suspicious DNS activity
- Consider implementing rate limiting for DNS lookups
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-10T11:16:32.823Z and has not been modified since then. The NVD entry is currently 5.1 MEDIUM. Limited information is available about the vulnerability, and further analysis is required to fully understand the impact.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T11:16:32.823Z and has not been modified since then.