Description
WinMTR 0.91 contains a denial of service vulnerability that allows attackers to crash the application by sending a malformed payload file containing a large buffer of repeated characters. Attackers can create a specially crafted input file with 238 bytes of data to trigger a buffer overflow condition that causes the application to crash.
Published: 2026-05-30
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WinMTR version 0.91 contains a buffer overflow vulnerability in its file‑injection logic. By supplying a specially crafted input file with 238 bytes of repeated characters, an attacker can trigger an overflow that causes the application to crash. The result is a denial of service, limiting the user’s ability to perform network diagnostics, but no remote code execution or data compromise is possible with this flaw.

Affected Systems

The vulnerability affects the WinMTR application, specifically version 0.91. No other versions or variants are listed as impacted.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity risk. The EPSS value is not available, and the flaw is not listed in the CISA KEV catalog, suggesting no known widespread exploitation. The likely attack vector is through the ingestion of a malicious payload file, implying that an attacker would need to supply the file locally or arrange for a victim to open it. Once the exploit is executed, the application will terminate, potentially disrupting network monitoring services.

Generated by OpenCVE AI on May 30, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WinMTR to the latest version that patches the buffer overflow if one is available
  • If an upgrade is not possible, restrict or disable WinMTR usage to prevent accidental execution of the vulnerable file
  • Deploy application whitelisting or sandboxing to prevent accidental execution of malicious input files

Generated by OpenCVE AI on May 30, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:winmtr:winmtr:0.91:*:*:*:*:*:*:*

Mon, 01 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 30 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Winmtr
Winmtr winmtr
Vendors & Products Winmtr
Winmtr winmtr

Sat, 30 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description WinMTR 0.91 contains a denial of service vulnerability that allows attackers to crash the application by sending a malformed payload file containing a large buffer of repeated characters. Attackers can create a specially crafted input file with 238 bytes of data to trigger a buffer overflow condition that causes the application to crash.
Title WinMTR 0.91 Denial of Service via Buffer Overflow
Weaknesses CWE-120
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Winmtr Winmtr
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-01T14:41:41.611Z

Reserved: 2026-05-30T14:44:38.854Z

Link: CVE-2018-25426

cve-icon Vulnrichment

Updated: 2026-06-01T14:41:31.712Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-30T16:17:03.993

Modified: 2026-06-03T19:31:22.017

Link: CVE-2018-25426

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T21:17:26Z

Weaknesses
  • CWE-120

    Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')