PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-14461 BitWizard CVE debrief

The mtr package is vulnerable to an out-of-bound read issue in the ipinfo_lookup() function. An attacker can influence the TXT response used for AS lookups to trigger this bug by returning a DNS response larger than 512 bytes with a crafted compression pointer in the answer NAME field. The ipinfo_lookup() function uses the response length as the end-of-message boundary for the dn_expand() function, resulting in a reliable crash. This issue exists in mtr through version 0.96 and was fixed in commit 48e1794414d338ce47abc0f27c25ade8788af9c3.

Vendor
BitWizard
Product
mtr
CVSS
MEDIUM 5.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Users of the mtr package, particularly those who handle DNS responses, should be aware of this vulnerability. An attacker could potentially exploit this issue to cause a denial-of-service (DoS) attack by crashing the mtr service.

Technical summary

The mtr package is vulnerable to an out-of-bound read issue in the ipinfo_lookup() function. This function is used to perform AS lookups and can be triggered by an attacker who can influence the TXT response. The vulnerability exists because the ipinfo_lookup() function uses the length of the response as the end-of-message boundary for the dn_expand() function. An attacker can exploit this by returning a DNS response that is larger than 512 bytes and uses a crafted compression pointer in the answer NAME field, resulting in a reliable crash. This issue was fixed in commit 48e1794414d338ce47abc0f27c25ade8788af9c3.

Defensive priority

Medium

Recommended defensive actions

  • Update the mtr package to version 0.97 or later
  • Implement input validation and sanitization for DNS responses
  • Monitor for suspicious DNS activity
  • Consider implementing rate limiting for DNS lookups
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-10T11:16:32.823Z and has not been modified since then. The NVD entry is currently 5.1 MEDIUM. Limited information is available about the vulnerability, and further analysis is required to fully understand the impact.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T11:16:32.823Z and has not been modified since then.