Full Report
Out-of-bounds read vulnerability (CVE-2026-14461) has been found in BitWizard mtr software.
Analysis Summary
# Vulnerability: Out-of-bounds Read in BitWizard mtr
## CVE Details
- **CVE ID:** CVE-2026-14461
- **CVSS Score:** Not explicitly provided (Estimated: Medium/High due to reliable crash/DoS)
- **CWE:** CWE-125 (Out-of-bounds Read)
## Affected Systems
- **Products:** BitWizard mtr (My TraceRoute)
- **Versions:** All versions through 0.95 and including 0.96
- **Configurations:** Systems where mtr is configured to perform AS (Autonomous System) lookups via TXT DNS records.
## Vulnerability Description
A vulnerability exists in the `ipinfo_lookup()` function of the `mtr` diagnostic tool. The flaw is triggered when the software processes a specially crafted DNS TXT response used for AS lookups.
Technically, the `ipinfo_lookup()` function incorrectly calculates the end-of-message boundary for the `dn_expand()` function, using the length of the response itself. An attacker can provide a DNS response larger than 512 bytes that utilizes a malicious compression pointer in the answer `NAME` field. This causes the application to read outside of its allocated memory buffer.
## Exploitation
- **Status:** Reported via CERT Polska; PoC methodology described.
- **Complexity:** Medium (Requires controlling or spoofing DNS TXT responses for the target's lookups).
- **Attack Vector:** Network (Remote via DNS response).
## Impact
- **Confidentiality:** None/Low (Primarily leads to memory corruption).
- **Integrity:** None.
- **Availability:** High (The flaw result is a reliable crash of the application, leading to Denial of Service).
## Remediation
### Patches
- The vulnerability has been addressed in the source code repository.
- **Fix Commit:** `48e1794414d338ce47abc0f27c25ade8788af9c3`
- Users should update to a version containing this commit or any version released after 0.96.
### Workarounds
- Disable AS lookup features in `mtr` settings (e.g., avoid using flags that trigger IP information lookups) if patching is not immediately possible.
## Detection
- **Indicators of Compromise:** Application crashes (SIGSEGV) occurring specifically during the IP information/AS lookup phase of a trace.
- **Detection methods:** Monitoring for abnormally large DNS TXT responses (over 512 bytes) originating from AS lookup providers.
## References
- **Vendor/Advisory:** hXXps[://]cert[.]pl/en/posts/2026/07/vulnerability-in-bitwizard-mtr/
- **CVE Record:** hXXps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-14461
- **CVD Policy:** hXXps[://]cert[.]pl/en/cvd/