CVE-2026-49494
Integer Underflow in Comodo Internet Security Firewall Driver
Publication date: 2026-06-07
Last updated on: 2026-06-07
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| comodo | internet_security | to 12.3.4.8162 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-191 | The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-49494 is an integer underflow vulnerability in the IPv6 packet parser of Comodo Internet Security's firewall driver Inspect.sys. The parser incorrectly decrements an unsigned 64-bit payload-length value from the IPv6 header by the size of each IPv6 extension header without validating the result. If the declared payload length is smaller than the total extension header lengths, this causes the value to underflow to a very large number.
Because IPv6 parsing happens before firewall rules are enforced, a remote attacker can send a specially crafted IPv6 packet to a hostβeven if all ports are blockedβto trigger out-of-bounds memory reads or oversized memory copies in the Windows kernel. This leads to a system crash, commonly known as a Blue Screen of Death (BSOD).
How can this vulnerability impact me? :
This vulnerability allows a remote, unauthenticated attacker to cause a denial-of-service (DoS) condition by crashing the affected system. The attacker can send a single crafted IPv6 packet that triggers a kernel-level crash, resulting in a Blue Screen of Death (BSOD).
Because the attack can be performed without any authentication and even when all ports are blocked by the firewall, it poses a significant risk of system disruption and downtime.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crafted IPv6 packets that exploit the integer underflow in the IPv6 packet parser of Comodo Internet Security's firewall driver Inspect.sys. Since the vulnerability is triggered by a single specially crafted IPv6 packet, network detection tools could look for unusual or malformed IPv6 packets with payload lengths smaller than the sum of their extension-header lengths.
A practical approach to detection is to use the proof-of-concept (PoC) exploit named ComoDoS, available on GitHub, which demonstrates how the flaw can be triggered. Running this PoC in a controlled environment can help verify if a system is vulnerable.
Specific commands are not provided in the resources, but network administrators can use packet capture tools like tcpdump or Wireshark to filter and analyze IPv6 packets for suspicious payload length fields and extension headers. For example, a tcpdump command to capture IPv6 packets might be:
- tcpdump -i <interface> ip6
Further analysis would require inspecting the payload length and extension headers manually or with custom scripts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating Comodo Internet Security to a version later than 12.3.4.8162, as this vulnerability affects versions up to and including 12.3.4.8162.
If an update is not immediately available, consider disabling the Comodo Internet Security firewall component or blocking IPv6 traffic at the network perimeter to prevent the crafted packets from reaching vulnerable hosts.
Additionally, monitoring network traffic for suspicious IPv6 packets and applying network-level filtering rules to drop malformed IPv6 packets can help reduce exposure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.