HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-49494Published Modified CNA VulnCheck

CVE-2026-49494: Comodo Internet Security Inspect.sys IPv6 Integer Underflow Remote Denial of Service

Comodo Internet Security's firewall driver Inspect.sys contains an integer underflow in its IPv6 packet parser. The parser decrements an unsigned 64-bit payload-length value (taken from the IPv6 fixed header's payload length field) by the size of each IPv6 extension header without validating it, so a packet whose declared payload length is smaller than the sum of its extension-header lengths underflows the value to a near-maximal 64-bit integer. Because IPv6 parsing occurs before firewall rule enforcement, a remote, unauthenticated attacker can send a single crafted IPv6 packet - even to a host with all ports blocked - to trigger an out-of-bounds read (and, on a separate code path, an oversized memcpy) in the Windows kernel at DISPATCH_LEVEL, crashing the system (BSOD).

Metrics

CVSS v4.0
8.7
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An integer underflow vulnerability exists in the IPv6 packet parser inside Inspect.sys, the firewall driver bundled with Comodo Internet Security versions 12.3.4.8162 and earlier. A remote, unauthenticated attacker can send a single crafted IPv6 packet to cause an out-of-bounds read and oversized memory copy in the Windows kernel, crashing the target system with a Blue Screen of Death (BSOD). Because parsing happens before firewall rule enforcement, the crash is reachable even on hosts where all inbound ports are blocked. No upstream fix has been published; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment a fix version is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-49494 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle the Comodo Internet Security driver. Any image found to include an affected version of Inspect.sys surfaces immediately in the scan results.

Available
Triage

HarborGuard scores this CVE at 8.7 HIGH using its CVSS v4.0 vector and weights that score against each customer environment's compliance policy to determine urgency and routing. Findings are directed to the appropriate team inbox within the customer org based on policy configuration, so the right engineers see the alert without manual triage.

Available
Patch

No upstream fix version has been published for this vulnerability. HarborGuard re-checks the advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment Comodo publishes a corrected release. In the meantime, customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads as soon as a fix version becomes available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the target over the network; a single crafted IPv6 packet sent from any remote host is sufficient to trigger the vulnerability.

  • AuthenticationNot required

    No account or credentials are needed; the vulnerable parsing code executes before any authentication or firewall rule check takes place.

  • Victim interactionNot required

    No action from a user on the target host is required; the crash is triggered entirely by the incoming malformed packet.

  • Attack complexityDetail

    Exploit complexity is low: the attacker only needs to send one specially constructed IPv6 packet, with no race conditions or specific environmental state required.

Blast Radius

  • Crashes the target Windows system immediately with a kernel-level Blue Screen of Death, taking all running processes and workloads offline.
  • Causes unplanned system downtime for any host running an affected version of Comodo Internet Security, regardless of its configured firewall rules.
  • Enables a persistent denial-of-service condition if the attacker continues sending crafted packets after each reboot, keeping the host unavailable indefinitely.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-49494 as of publication, HarborGuard monitors the Comodo advisory on every ingest cycle and will surface a patched-image rebuild automatically the moment a corrected version is released. For environments with auto-remediation enabled, that rebuild will immediately trigger a regression-test run and a PR opened against any affected workloads, with no manual intervention needed. While awaiting a patch, consider compensating controls such as network-policy rules that drop malformed or unexpected IPv6 extension-header traffic at the perimeter, egress and ingress filtering on IPv6 at the infrastructure layer, and isolation of hosts running Comodo Internet Security from untrusted external IPv6 sources. Where compliance policy permits, flagging affected images as non-compliant for deployment prevents newly built containers that bundle the vulnerable driver from reaching production until a fix is available.

See how HarborGuard automates this
Affected packages
  • Comodo / Comodo Internet Security
    ≤ 12.3.4.8162
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
References