Critical Zero-Day Vulnerability in Comodo Internet Security Exposes Windows Systems to Remote Crashes
A severe zero-day vulnerability, dubbed ComoDoS, has been discovered in Comodo Internet Security’s firewall driver, Inspect.sys, allowing attackers to remotely crash Windows systems with a single maliciously crafted IPv6 packet regardless of firewall rules. The flaw, identified by security researcher Marcus Hutchins (Malwaretech), stems from an integer underflow in the driver’s IPv6 extension header parser.
The vulnerability affects Comodo’s kernel-mode firewall driver, which parses incoming packets before applying security rules. By exploiting an unchecked integer underflow in the IPv6 payload length field, an attacker can force the system to miscalculate memory allocations, leading to an immediate crash. The proof-of-concept (PoC) exploit, publicly available on GitHub, demonstrates how a compact IPv6 packet with a manipulated Destination Options header (type 60) can trigger the flaw, even if all ports are blocked.
Beyond denial-of-service (DoS), the underflow introduces two memory corruption primitives: an out-of-bounds (OOB) read in a WebDAV/HTTP scanner and an OOB write via memcpy, both of which reliably crash the system due to the impossibly large memory spans involved. While remote code execution (RCE) appears unlikely due to packet size limitations, the flaw remains critical, as it bypasses all firewall protections.
Despite responsible disclosure including a root-cause analysis, patch recommendations, and a PoC Comodo has failed to acknowledge or address the issue. This follows a pattern of vendor inaction; the Zero Day Initiative (ZDI) previously documented a separate Comodo vulnerability (ZDI-24-953) that remained unpatched for nearly two years. Users of Comodo Internet Security are left exposed, with no official mitigation or timeline for a fix.
Source: https://cyberpress.org/comodo-internet-security-0-day/
株式会社comodo cybersecurity rating report: https://www.rankiteo.com/company/comodo
"id": "COM1780575842",
"linkid": "comodo",
"type": "Vulnerability",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Users of Comodo Internet '
'Security on Windows systems',
'industry': 'Cybersecurity',
'name': 'Comodo Group (Comodo Internet Security)',
'type': 'Cybersecurity Software Vendor'}],
'attack_vector': 'Remote IPv6 packet',
'customer_advisories': 'Users are advised to monitor for updates from Comodo '
'and apply patches as soon as they become available. '
'Disabling IPv6 may mitigate the risk temporarily.',
'description': 'A severe zero-day vulnerability, dubbed *ComoDoS*, has been '
'discovered in Comodo Internet Security’s firewall driver, '
'*Inspect.sys*, allowing attackers to remotely crash Windows '
'systems with a single maliciously crafted IPv6 packet '
'regardless of firewall rules. The flaw stems from an integer '
'underflow in the driver’s IPv6 extension header parser, '
'leading to system crashes or memory corruption.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'unpatched critical vulnerability',
'downtime': 'Immediate system crash (Denial-of-Service)',
'operational_impact': 'System crashes bypassing firewall '
'protections',
'systems_affected': 'Windows systems with Comodo Internet Security '
'installed'},
'investigation_status': 'Publicly disclosed; unpatched by vendor',
'lessons_learned': 'Critical vulnerabilities in security software can bypass '
'protections and remain unpatched for extended periods, '
'highlighting the need for timely vendor responses and '
'proactive mitigation strategies.',
'post_incident_analysis': {'corrective_actions': 'Comodo should release a '
'patch addressing the '
'integer underflow and '
'implement stricter input '
'validation in the firewall '
'driver.',
'root_causes': 'Integer underflow in IPv6 '
'extension header parser '
'(Inspect.sys) due to unchecked '
'payload length field, leading to '
'memory miscalculations and system '
'crashes.'},
'recommendations': ['Users should consider disabling IPv6 or replacing Comodo '
'Internet Security until a patch is released.',
'Vendors should prioritize addressing critical '
'vulnerabilities disclosed by researchers, especially '
'those with public PoCs.',
'Organizations should monitor for updates from Comodo and '
'apply patches immediately upon release.'],
'references': [{'source': 'GitHub (Proof-of-Concept Exploit)',
'url': 'https://github.com/MalwareTech/ComoDoS'},
{'source': 'Zero Day Initiative (ZDI-24-953)'},
{'source': 'Marcus Hutchins (Malwaretech)'}],
'response': {'communication_strategy': 'Public disclosure by researcher '
'(Marcus Hutchins) and ZDI; no '
'official response from Comodo'},
'stakeholder_advisories': 'Users and organizations relying on Comodo Internet '
'Security should assess their exposure and consider '
'alternative solutions.',
'title': 'Critical Zero-Day Vulnerability in Comodo Internet Security Exposes '
'Windows Systems to Remote Crashes',
'type': 'Zero-Day Vulnerability',
'vulnerability_exploited': 'Integer underflow in IPv6 extension header parser '
'(Inspect.sys)'}