CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 04, 2026

Comodo Internet Security 0-Day Vulnerability Lets Attacker Crash the User’s Windows System

Cybersecurity News Archived Jun 04, 2026 ✓ Full text saved

An unpatched zero-day vulnerability in Comodo Internet Security’s firewall driver, Inspect.sys, after receiving no response from the vendor following multiple disclosure attempts. The vulnerability, dubbed ComoDoS, uncovered by Marcus Hutchins, allows a remote attacker to crash a target Windows system with a single malformed IPv6 packet, bypassing all configured firewall rules in the process. At […] The post Comodo Internet Security 0-Day Vulnerability Lets Attacker Crash the User’s Windows Syst

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security Comodo Internet Security 0-Day Vulnerability Lets Attacker Crash the User’s Windows System By Guru Baran June 4, 2026 An unpatched zero-day vulnerability in Comodo Internet Security’s firewall driver, Inspect.sys, after receiving no response from the vendor following multiple disclosure attempts. The vulnerability, dubbed ComoDoS, uncovered by Marcus Hutchins, allows a remote attacker to crash a target Windows system with a single malformed IPv6 packet, bypassing all configured firewall rules in the process. At the time of publication, no patch exists. Marcus Hutchins submitted a full root-cause analysis, patch suggestions, and a proof-of-concept (PoC) to Comodo’s security team but received zero acknowledgment. Comodo Internet Security 0-Day Vulnerability The flaw resides in Inspect.sys’s IPv6 header parser. IPv6 packets support optional “extension headers” that chain between the fixed 40-byte IPv6 header and the upper-layer protocol (TCP, UDP, etc.). The parser iterates through these extension headers, subtracting each header’s length from a payload_length variable derived directly from the attacker-controlled IPv6 fixed header. The critical issue: the code never validates the payload length field. If an attacker sets the IPv6 payload length to a value smaller than the total extension header lengths, the unsigned 64-bit payload_length variable underflows and wraps around to approximately 18.4 quintillion (0xFFFFFFFFFFFFFFF8). Because the firewall driver must parse TCP/IP headers before enforcing any firewall rules, this parsing occurs regardless of whether every port is blocked. The resulting integer underflow triggers a kernel crash (BSOD), making it a reliable remote denial-of-service primitive. The PoC exploit is remarkably compact, fitting in four lines of Python using Scapy: pythonext = IPv6ExtHdrDestOpt(nh=6, options=[PadN(optdata=b"\x00" * 8)]) tcp = TCP(sport=1337, dport=80, flags="S", seq=0, ack=1, window=0x2000) ipv6 = IPv6(dst=dst_ip, nh=60, hlim=64, plen=8) pkt = ipv6 / ext / tcp send(packet) Marcus Hutchins deliberately used the Destination Options extension header (type 60) because it is subject to the least router-level filtering, maximizing the likelihood that the malicious packet reaches its target across the internet. Beyond the DoS primitive, Marcus Hutchins identified reachable out-of-bounds (OOB) read and write paths triggered by the same underflowed value. However, both primitives face significant exploitation constraints. The OOB-read occurs inside a WebDAV/HTTP artifact scanner, where the size value is truncated to 16-bit, capping it at 65 KB. A page fault in this path crashes the system at DISPATCH_LEVEL. The OOB-write, reached only after a full TCP handshake, truncates the underflowed size to 32-bit, producing a 4 GB kernel pool overflow that is virtually guaranteed to crash the system. Since standard network packets max out at 65 KB, there is no realistic way to shrink the overflow enough to prevent a crash, making remote code execution (RCE) highly unlikely at this time. The vulnerability was discovered during research into BYOVD (Bring Your Own Vulnerable Driver) attack surfaces using an AI-assisted analysis pipeline. While auditing Comodo’s older driver version, Marcus Hutchins identified architectural weaknesses that motivated manual analysis of the current driver, leading directly to this finding. A full PoC is publicly available on GitHub. Organizations relying on Comodo Internet Security should monitor for anomalous IPv6 traffic and consider network-level controls blocking malformed IPv6 extension headers as a temporary mitigation until an official patch is released. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Microsoft 365 Android Apps Account Takeover Vulnerability Impacted Billions of Android Users Critical Magento Cache Plugin Vulnerability Enables Remote Code Execution Attacks The Gentlemen Ransomware Group Uses Fortinet Exploits, AI, and Custom C2 Frameworks Critical WP Maps Pro Vulnerability Allow Attackers to Create Administrator Account Android Banking Trojan OverlayPhantom Abuses Accessibility Service to Control Devices Latest News Cyber Security News Hackers Abusing Microsoft Teams and Google Drive to Deploy Remote Access Malware Cyber Security News Cisco Unified Communications Manager Vulnerability Exposed Along With PoC Exploit Code Android CISA Warns of Android Framework Integer Overflow Vulnerability Exploited in Attacks Cyber Security News Hackers Use Fake Chrome Web Store Copyright Notices to Steal Google Credentials Cyber Security News Acer Working to Patch Wave 7 Router 0-day Vulnerability
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 04, 2026
    Archived
    Jun 04, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗