Critical Zero-Day: Integer Underflow in Comodo Kernel Driver Enables Remote DoS

A critical, remotely exploitable zero-day vulnerability has been identified in the Comodo Internet Security suite, specifically targeting its kernel-level firewall driver. This flaw allows a remote attacker to trigger an immediate system crash—resulting in a Blue Screen of Death (BSOD)—by sending a single, specially crafted IPv6 packet. As of this report, the vendor has not acknowledged the issue or provided a patch.

The vulnerability was publicly disclosed on June 3, 2026, by security researcher Marcus Hutchins. After repeated attempts to coordinate a responsible disclosure with Comodo failed, Hutchins released the findings to warn the community of the active risk.

The vulnerability, dubbed “ComoDoS,” is rooted in Inspect.sys, the high-privileged kernel driver responsible for Comodo’s firewall operations. Because the flaw exists within the driver’s packet-parsing logic, the attack occurs at a layer below the standard firewall rule engine. Consequently, the malicious packet is processed before any user-defined filtering rules can intercept it, rendering traditional firewall configurations ineffective against this specific vector.

Technical Root Cause Analysis

The vulnerability stems from an improper validation of the IPv6 extension header parsing logic within Inspect.sys. When the driver ingests an IPv6 packet, it captures the payload length from the fixed IPv6 header and stores it in a 64-bit unsigned integer: packet_desc->payload_length.

As the driver iterates through subsequent extension headers to reconstruct the packet’s structure, it performs a subtraction operation, deducting the length of each header from the total payload length. However, the driver fails to verify if the remaining payload length is sufficient to accommodate the next header in the chain.

An attacker can exploit this by crafting a packet where the sum of the extension header lengths exceeds the value declared in the initial IPv6 payload length field. This triggers an integer underflow. Because the variable is an unsigned 64-bit integer, subtracting a larger value from a smaller one causes the value to wrap around to an astronomical figure (approximately 18 quintillion, or 0xFFFFFFFFFFFFFFF8).

Exploitation Mechanics and PoC

Hutchins has provided a Proof-of-Concept (PoC) via GitHub, demonstrating how a minimal payload can achieve total system instability. The exploit utilizes the Destination Options extension header (Next Header type 60). This specific header was chosen because it is a standard part of the IPv6 protocol and is frequently allowed by intermediate network devices, increasing the likelihood of the packet reaching the target without being dropped by edge routers.

# Simplified PoC Logic
ext = IPv6ExtHdrDestOpt(nh=6, options=[PadN(optdata=b"\x00" * 8)])
tcp = TCP(sport=1337, dport=80, flags="S", seq=0, ack=1, window=0x2000)
ipv6 = IPv6(dst=dst_ip, nh=60, hlim=64, plen=8)
pkt = ipv6 / ext / tcp
send(packet)

While the integer underflow technically provides primitives for both an out-of-bounds (OOB) read and an OOB write, achieving Remote Code Execution (RCE) is highly complex in this scenario. The OOB read is limited by a WebDAV artifact scanner that halts upon encountering standard HTTP headers. More importantly, the OOB write occurs during a memcpy operation where the corrupted 64-bit size is truncated to a 32-bit value. This results in a massive 4 GB kernel pool overflow, which inevitably triggers a system crash before a stable execution environment can be established for RCE.

Vendor Unresponsiveness

Despite receiving a comprehensive technical report, including root-cause analysis and recommended patches, Comodo has remained silent. This lack of engagement is not an isolated incident; a previous Zero Day Initiative (ZDI) advisory (ZDI-24-953) highlighted a historical pattern of the vendor ignoring critical security disclosures for extended periods.

Currently, there is no official patch available for ComoDoS. Security administrators are strongly advised to implement the following mitigations:

• Monitor Network Traffic: Inspect perimeter logs for anomalous IPv6 traffic patterns.
• Edge Filtering: At the network edge, consider blocking or strictly inspecting IPv6 extension headers, specifically Destination Options (Next Header 60), until a vendor-supplied update is deployed.
• Evaluate Alternatives: Given the pattern of unresponsiveness, organizations may need to evaluate moving to more actively maintained endpoint security solutions.