Comodo Internet Security 0-Day Vulnerability Lets Attacker Crash the User’s Windows System
Cybersecurity NewsArchived Jun 04, 2026✓ Full text saved
An unpatched zero-day vulnerability in Comodo Internet Security’s firewall driver, Inspect.sys, after receiving no response from the vendor following multiple disclosure attempts. The vulnerability, dubbed ComoDoS, uncovered by Marcus Hutchins, allows a remote attacker to crash a target Windows system with a single malformed IPv6 packet, bypassing all configured firewall rules in the process. At […] The post Comodo Internet Security 0-Day Vulnerability Lets Attacker Crash the User’s Windows Syst
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security
Comodo Internet Security 0-Day Vulnerability Lets Attacker Crash the User’s Windows System
By Guru Baran
June 4, 2026
An unpatched zero-day vulnerability in Comodo Internet Security’s firewall driver, Inspect.sys, after receiving no response from the vendor following multiple disclosure attempts.
The vulnerability, dubbed ComoDoS, uncovered by Marcus Hutchins, allows a remote attacker to crash a target Windows system with a single malformed IPv6 packet, bypassing all configured firewall rules in the process.
At the time of publication, no patch exists. Marcus Hutchins submitted a full root-cause analysis, patch suggestions, and a proof-of-concept (PoC) to Comodo’s security team but received zero acknowledgment.
Comodo Internet Security 0-Day Vulnerability
The flaw resides in Inspect.sys’s IPv6 header parser. IPv6 packets support optional “extension headers” that chain between the fixed 40-byte IPv6 header and the upper-layer protocol (TCP, UDP, etc.).
The parser iterates through these extension headers, subtracting each header’s length from a payload_length variable derived directly from the attacker-controlled IPv6 fixed header.
The critical issue: the code never validates the payload length field. If an attacker sets the IPv6 payload length to a value smaller than the total extension header lengths, the unsigned 64-bit payload_length variable underflows and wraps around to approximately 18.4 quintillion (0xFFFFFFFFFFFFFFF8).
Because the firewall driver must parse TCP/IP headers before enforcing any firewall rules, this parsing occurs regardless of whether every port is blocked.
The resulting integer underflow triggers a kernel crash (BSOD), making it a reliable remote denial-of-service primitive. The PoC exploit is remarkably compact, fitting in four lines of Python using Scapy:
pythonext = IPv6ExtHdrDestOpt(nh=6, options=[PadN(optdata=b"\x00" * 8)])
tcp = TCP(sport=1337, dport=80, flags="S", seq=0, ack=1, window=0x2000)
ipv6 = IPv6(dst=dst_ip, nh=60, hlim=64, plen=8)
pkt = ipv6 / ext / tcp
send(packet)
Marcus Hutchins deliberately used the Destination Options extension header (type 60) because it is subject to the least router-level filtering, maximizing the likelihood that the malicious packet reaches its target across the internet.
Beyond the DoS primitive, Marcus Hutchins identified reachable out-of-bounds (OOB) read and write paths triggered by the same underflowed value. However, both primitives face significant exploitation constraints.
The OOB-read occurs inside a WebDAV/HTTP artifact scanner, where the size value is truncated to 16-bit, capping it at 65 KB. A page fault in this path crashes the system at DISPATCH_LEVEL.
The OOB-write, reached only after a full TCP handshake, truncates the underflowed size to 32-bit, producing a 4 GB kernel pool overflow that is virtually guaranteed to crash the system. Since standard network packets max out at 65 KB, there is no realistic way to shrink the overflow enough to prevent a crash, making remote code execution (RCE) highly unlikely at this time.
The vulnerability was discovered during research into BYOVD (Bring Your Own Vulnerable Driver) attack surfaces using an AI-assisted analysis pipeline.
While auditing Comodo’s older driver version, Marcus Hutchins identified architectural weaknesses that motivated manual analysis of the current driver, leading directly to this finding.
A full PoC is publicly available on GitHub. Organizations relying on Comodo Internet Security should monitor for anomalous IPv6 traffic and consider network-level controls blocking malformed IPv6 extension headers as a temporary mitigation until an official patch is released.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
Trending News
Microsoft 365 Android Apps Account Takeover Vulnerability Impacted Billions of Android Users
Critical Magento Cache Plugin Vulnerability Enables Remote Code Execution Attacks
The Gentlemen Ransomware Group Uses Fortinet Exploits, AI, and Custom C2 Frameworks
Critical WP Maps Pro Vulnerability Allow Attackers to Create Administrator Account
Android Banking Trojan OverlayPhantom Abuses Accessibility Service to Control Devices
Latest News
Cyber Security News
Hackers Abusing Microsoft Teams and Google Drive to Deploy Remote Access Malware
Cyber Security News
Cisco Unified Communications Manager Vulnerability Exposed Along With PoC Exploit Code
Android
CISA Warns of Android Framework Integer Overflow Vulnerability Exploited in Attacks
Cyber Security News
Hackers Use Fake Chrome Web Store Copyright Notices to Steal Google Credentials
Cyber Security News
Acer Working to Patch Wave 7 Router 0-day Vulnerability