Skip to main content
Mallory
Back to vulnerabilities
High

Remote DoS in Comodo Internet Security Inspect.sys IPv6 Parser

IdentifiersCVE-2026-49494CWE-191· Integer Underflow (Wrap or…

CVE-2026-49494 is an integer underflow vulnerability in Comodo Internet Security's firewall driver, Inspect.sys, within its IPv6 packet parsing logic. The vulnerable parser subtracts the size of each IPv6 extension header from an unsigned 64-bit payload-length value derived from the IPv6 fixed header payload length field, but does not validate that the remaining length is sufficient before each decrement. If an attacker supplies an IPv6 packet whose declared payload length is smaller than the cumulative size of the included extension headers, the length value underflows to a near-maximum 64-bit integer. This corrupted length is then used in subsequent parsing paths, leading to an out-of-bounds read and, on a separate code path, an oversized memcpy in kernel context. Because this parsing occurs before firewall rule enforcement, the flaw is reachable via a single crafted IPv6 packet sent remotely and without authentication.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation causes a kernel-mode crash in Windows, resulting in a blue screen of death (BSOD) and denial of service. The vulnerable code executes at DISPATCH_LEVEL in the kernel, so the immediate practical impact described by the available information is reliable remote system crash. The provided content does not establish confirmed arbitrary code execution or privilege escalation.

Mitigation

If you can’t patch tonight, do this now.

Until a vendor fix is deployed, reduce exposure by disabling IPv6 processing on affected hosts where operationally feasible, or otherwise preventing untrusted IPv6 traffic from reaching systems running the vulnerable driver. Network-level filtering of inbound IPv6 traffic, especially from untrusted networks, can reduce exploitability, although host-local parsing may still occur depending on configuration. Because the flaw is triggered before firewall rule enforcement, relying solely on local firewall policy is not sufficient mitigation.

Remediation

Patch, then assume compromise.

Apply the vendor patch or updated version of Comodo Internet Security that corrects bounds checking in Inspect.sys IPv6 extension-header parsing. Specifically, the vulnerable logic should validate that the remaining payload length is at least as large as each extension-header size before subtracting, and should reject malformed IPv6 packets whose declared payload length is inconsistent with extension-header chain length. If no fixed version information is currently available, the information is currently not available.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

6 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-49494
NVD
nvd.nist.gov/vuln/detail/CVE-2026-49494
MITRE CWE · CWE-191
Integer Underflow (Wrap or Wraparound)
github.com
github.com/MalwareTech/ComoDoS
malwaretech.com
malwaretech.com/2026/06/exploiting-a-remote-kernel-vulnerability-in-comodo-internet-security.html
vulncheck.com
vulncheck.com/advisories/comodo-internet-security-inspect-sys-ipv6-integer-underflow-remote-denial-of-service