HIGH 7.5

CVE-2026-49494: Xcitium and Comodo Firewall Integer Underflow DoS Vulnerability

A flaw in the firewall driver used by Xcitium Client Security and Comodo Internet Security allows attackers to remotely crash a computer by sending a specially crafted network packet. The vulnerability exists because the firewall driver incorrectly handles IPv6 packets when the declared payload size is smaller than the actual data it contains. This causes an integer underflow—a calculation error where a number wraps around to an extremely large value—which then causes the system to attempt to read memory far beyond safe boundaries and ultimately crash with a blue screen of death. The attack requires no authentication and can succeed even on fully firewalled systems.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-191
Affected products
0 configuration(s)
Published / Modified
2026-06-07 / 2026-06-23

NVD description (verbatim)

Xcitium Client Security (XCS) before 13.8.2.10019 and Comodo Internet Security (CIS) through 12.3.4.8162 (fix expected by 2026 Q3) contain an integer underflow vulnerability in the firewall driver Inspect.sys that allows remote unauthenticated attackers to crash the system by sending a crafted IPv6 packet with a declared payload length smaller than the sum of its extension-header lengths. The unsigned 64-bit payload-length value underflows to a near-maximal integer, triggering an out-of-bounds read and oversized memcpy in the Windows kernel at DISPATCH_LEVEL, resulting in a blue screen of death even on hosts with all ports blocked.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability resides in Inspect.sys, the kernel-mode firewall driver component of Xcitium Client Security and Comodo Internet Security. When processing IPv6 packets, the driver fails to properly validate the relationship between the declared payload length and the sum of extension-header lengths. An attacker can craft a malicious IPv6 packet where the payload_length field is set to a value smaller than the cumulative size of extension headers. Because the driver uses unsigned 64-bit integer arithmetic without proper bounds checking, subtracting the extension-header lengths from the undersized payload_length causes an integer underflow, resulting in a near-maximal unsigned integer. This corrupted length value is then passed to a memcpy operation executing at DISPATCH_LEVEL in the Windows kernel, triggering an out-of-bounds memory read and copy that crashes the system.

Business impact

Organizations relying on Xcitium Client Security or Comodo Internet Security for endpoint protection face a denial-of-service risk that is difficult to mitigate through network segmentation alone, since the attack works against fully firewalled hosts. An attacker with Internet-facing targets can remotely crash protected endpoints, disrupting operations, causing data loss during unsaved work, and potentially triggering incident response overhead. In environments where these products are deployed at scale, a coordinated attack could affect multiple machines simultaneously. The high severity score reflects the ease of exploitation (no authentication required, low attack complexity) combined with guaranteed availability impact.

Affected systems

Xcitium Client Security versions before 13.8.2.10019 are affected. Comodo Internet Security through version 12.3.4.8162 is also vulnerable, with fixes expected by 2026 Q3. Any endpoint running these products is at risk if it can receive traffic from the Internet or untrusted networks capable of delivering raw IPv6 packets.

Exploitability

This vulnerability has a network attack vector with low attack complexity and requires no user interaction or privileges. An attacker needs only network reachability to the target and the ability to send crafted IPv6 packets; no authentication is necessary. The attack is reliable and reproducible—crafting the malicious packet requires only basic knowledge of IPv6 packet structure and integer arithmetic. The fact that it succeeds even on systems with all ports blocked indicates the firewall driver processes packets early in the network stack regardless of firewall policy. Exploitation requires no special tools beyond standard packet-crafting capabilities.

Remediation

Update Xcitium Client Security to version 13.8.2.10019 or later immediately. For Comodo Internet Security users, patches are expected by 2026 Q3; organizations should monitor vendor advisories and prioritize testing and deployment when updates become available. Until patches are deployed, consider restricting IPv6 traffic at network boundaries if operationally feasible, though this is not a complete mitigation since the vulnerability affects the firewall driver itself. No configuration setting or policy change within the affected products can eliminate the risk.

Patch guidance

For Xcitium Client Security, upgrade to 13.8.2.10019 or later through the product's update mechanism or vendor portal. Verify the installed version in the application settings or via the Control Panel to confirm successful patching. For Comodo Internet Security, await the Q3 2026 patch release and follow Comodo's deployment guidance. Test patches in a non-production environment first to ensure compatibility with other endpoint controls and business applications. Plan deployment to minimize disruption, as driver updates typically require system restart. Document patch deployment to demonstrate remediation in compliance and audit reviews.

Detection guidance

Monitor system event logs for unexpected blue screen of death (BSOD) events or kernel crashes on endpoints running Xcitium Client Security or Comodo Internet Security. Enable Windows kernel-mode exception logging if available. At the network level, monitor for unusual IPv6 traffic patterns, particularly packets with extension headers where the declared payload length is suspiciously small relative to the header chain. Network intrusion detection systems (IDS) can be configured with signatures to detect IPv6 packets with mismatched payload and header lengths, though such traffic may be rare in normal operations. Query endpoint management systems to inventory which machines are still running vulnerable versions and prioritize patch testing and deployment for those assets.

Why prioritize this

This vulnerability merits immediate patching priority due to its high CVSS score (7.5), trivial exploitability (unauthenticated, no user interaction), and broad reach across Internet-facing and internal-network endpoints. The kernel-level crash guarantee means successful exploitation has severe availability impact. The fact that it bypasses firewall policies on the protected hosts themselves makes traditional network segmentation ineffective as a workaround. Given the expected delay in Comodo patches (through Q3 2026), organizations using that product should upgrade to Xcitium or plan aggressive interim compensating controls.

Risk score, explained

The CVSS 3.1 score of 7.5 (HIGH severity) reflects: attack vector of Network (unauthenticated, unrestricted reach), attack complexity of Low (no special conditions required), privilege escalation of None (runs in existing firewall driver context), user interaction of None, and impact scope of Unchanged. The availability impact is High (confirmed system crash), while confidentiality and integrity are Not Affected. The score appropriately captures the ease and reliability of exploitation balanced against the scope of impact being limited to denial of service rather than data breach. This is not a KEV entry at time of publication, but the exploitability profile suggests it may be added if public proof-of-concept emerges.

Frequently asked questions

Can I protect myself from this attack if I block IPv6 at my firewall?

Blocking IPv6 at network boundaries would reduce attack surface, but it is not reliable protection because the vulnerable driver processes packets early in the network stack. Additionally, many modern networks require IPv6 for legitimate functionality. The proper remediation is to patch the affected endpoint products.

Why does this attack succeed even if I have a firewall enabled?

The vulnerability is in the firewall driver itself (Inspect.sys), not in firewall policy enforcement. The malicious IPv6 packet is processed by the driver before firewall rules are evaluated, causing a kernel-level crash that brings down the entire endpoint regardless of allowed or blocked ports.

What should I do if I use Comodo Internet Security and cannot patch until Q3 2026?

Immediately inventory affected systems and assess whether Xcitium Client Security can be deployed as a replacement. If not possible, implement IPv6 blocking at network ingress points as a temporary mitigation, and monitor endpoints closely for unexpected crashes. Escalate to Comodo for an expedited patch timeline if your environment is critical.

Is there a way to disable the firewall driver to avoid this vulnerability?

Disabling the firewall driver would eliminate the vulnerability but would also remove your firewall protection entirely, which is not an acceptable trade-off. Patch deployment is the only proper remediation.

This analysis is based on the CVE record published as of 2026-06-23. Patch version numbers and vendor timelines should be verified against official vendor advisories before deployment. Organizations should conduct their own risk assessment based on their specific environment, threat model, and asset criticality. This document does not constitute professional security advice; consult with your security team or a professional security advisor for guidance specific to your infrastructure. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).