CVE-2026-49494

Deferred Deferred - Pending Action

Integer Underflow in Comodo Internet Security Firewall Driver

Publication date: 2026-06-07

Last updated on: 2026-06-23

Assigner: VulnCheck

Description

Xcitium Client Security (XCS) before 13.8.2.10019 and Comodo Internet Security (CIS) through 12.3.4.8162 (fix expected by 2026 Q3) contain an integer underflow vulnerability in the firewall driver Inspect.sys that allows remote unauthenticated attackers to crash the system by sending a crafted IPv6 packet with a declared payload length smaller than the sum of its extension-header lengths. The unsigned 64-bit payload-length value underflows to a near-maximal integer, triggering an out-of-bounds read and oversized memcpy in the Windows kernel at DISPATCH_LEVEL, resulting in a blue screen of death even on hosts with all ports blocked.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-07

Last Modified

2026-06-23

Generated

2026-06-28

AI Q&A

2026-06-07

EPSS Evaluated

2026-06-26

NVD

CVE-2026-49494

EUVD

EUVD-2026-34990

Affected Vendors & Products

Vendor	Product	Version / Range
comodo	internet_security	to 12.3.4.8162 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-191	The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.

Attack-Flow Graph

Executive Summary

CVE-2026-49494 is an integer underflow vulnerability in the IPv6 packet parser of Comodo Internet Security's firewall driver Inspect.sys. The parser incorrectly decrements an unsigned 64-bit payload-length value from the IPv6 header by the size of each IPv6 extension header without validating the result. If the declared payload length is smaller than the total extension header lengths, this causes the value to underflow to a very large number.

Because IPv6 parsing happens before firewall rules are enforced, a remote attacker can send a specially crafted IPv6 packet to a host—even if all ports are blocked—to trigger out-of-bounds memory reads or oversized memory copies in the Windows kernel. This leads to a system crash, commonly known as a Blue Screen of Death (BSOD).

Impact Analysis

This vulnerability allows a remote, unauthenticated attacker to cause a denial-of-service (DoS) condition by crashing the affected system. The attacker can send a single crafted IPv6 packet that triggers a kernel-level crash, resulting in a Blue Screen of Death (BSOD).

Because the attack can be performed without any authentication and even when all ports are blocked by the firewall, it poses a significant risk of system disruption and downtime.

Detection Guidance

This vulnerability can be detected by monitoring for crafted IPv6 packets that exploit the integer underflow in the IPv6 packet parser of Comodo Internet Security's firewall driver Inspect.sys. Since the vulnerability is triggered by a single specially crafted IPv6 packet, network detection tools could look for unusual or malformed IPv6 packets with payload lengths smaller than the sum of their extension-header lengths.

A practical approach to detection is to use the proof-of-concept (PoC) exploit named ComoDoS, available on GitHub, which demonstrates how the flaw can be triggered. Running this PoC in a controlled environment can help verify if a system is vulnerable.

Specific commands are not provided in the resources, but network administrators can use packet capture tools like tcpdump or Wireshark to filter and analyze IPv6 packets for suspicious payload length fields and extension headers. For example, a tcpdump command to capture IPv6 packets might be:

tcpdump -i <interface> ip6

Further analysis would require inspecting the payload length and extension headers manually or with custom scripts.

Mitigation Strategies

Immediate mitigation steps include updating Comodo Internet Security to a version later than 12.3.4.8162, as this vulnerability affects versions up to and including 12.3.4.8162.

If an update is not immediately available, consider disabling the Comodo Internet Security firewall component or blocking IPv6 traffic at the network perimeter to prevent the crafted packets from reaching vulnerable hosts.

Additionally, monitoring network traffic for suspicious IPv6 packets and applying network-level filtering rules to drop malformed IPv6 packets can help reduce exposure.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Hi! I’m here to help you understand CVE-2026-49494. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70