Nmap IPv6 Extension Header Out-of-Bounds Read Vulnerability

Impact Analysis

This vulnerability can cause Nmap to perform out-of-bounds memory reads and potentially crash when scanning IPv6 targets.

If you use Nmap for network scanning, an attacker or a malicious target could exploit this flaw to disrupt your scanning operations by causing crashes.

While the vulnerability does not directly lead to code execution, the out-of-bounds reads and crashes can affect the reliability and stability of your scanning tools.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-58058 is an integer underflow vulnerability in Nmap versions up to 7.99 related to IPv6 extension header parsing.

The flaw occurs in the function ipv6_get_data_primitive within libnetutil/netutil.cc, where the pointer used to parse IPv6 extension headers advances beyond the captured packet buffer.

This causes the calculation of the remaining length to underflow to a very large value, leading to out-of-bounds memory reads.

An attacker or a scanned target can exploit this by sending a crafted IPv6 response with a truncated extension header, which triggers a crash during raw IPv6 scans.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for crashes or abnormal behavior during raw IPv6 scans using Nmap versions up to 7.99, especially when scanning targets that may respond with crafted IPv6 packets containing truncated extension headers.

A proof-of-concept exists that demonstrates the vulnerability by sending specially crafted IPv6 packets with truncated extension headers to trigger out-of-bounds reads and crashes.

To detect exploitation attempts or the vulnerability on your system, you can run raw IPv6 scans with vulnerable Nmap versions and observe for crashes or errors.

Suggested command to test (use in a controlled environment):

• Run an IPv6 raw scan with Nmap 7.99 or earlier against a target: nmap -6 -sO <target-ipv6-address>
• Monitor system logs or Nmap output for crashes or segmentation faults during the scan.

Note: The proof-of-concept code is available in C++17 and should only be used in controlled research environments to safely reproduce the issue.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Nmap to a version that includes the fix for this vulnerability.

The fix involves changes to the IPv6 extension header parsing logic in the ipv6_get_data_primitive function to ensure proper boundary checks and prevent out-of-bounds memory access.

• Update Nmap to a version newer than 7.99 that contains the patch.
• If upgrading immediately is not possible, avoid performing raw IPv6 scans with vulnerable Nmap versions against untrusted or potentially malicious targets.

The patch increases the minimum required bytes for extension header parsing from 2 to 8 and adds checks to prevent pointer overruns, thus preventing crashes and memory corruption.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of CVE-2026-58058 on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0