An integer underflow vulnerability in Comodo Internet Security’s firewall driver Inspect.sys, tracked as CVE-2026-49494 (CVSS 7.5), allows crafted IPv6 packets to trigger unexpected behaviour in the kernel-level firewall driver. The vulnerability exists in the IPv6 packet parser and a proof-of-concept named “ComoDoS” has been published.
What Is the Vulnerability?
CVE-2026-49494 is an integer underflow vulnerability (CWE-191) in Comodo Internet Security’s firewall driver Inspect.sys. The IPv6 packet parser decrements an unsigned 64-bit payload-length value — taken from the IPv6 fixed header’s payload length field — by the size of each IPv6 extension header without performing proper bounds validation. A packet whose declared payload length is smaller than the cumulative size of its extension headers causes an integer underflow, resulting in an unexpectedly large value being used in subsequent processing.
The Inspect.sys driver operates at ring 0 (kernel level) as part of the Windows networking stack. Vulnerabilities in kernel-level firewall drivers are particularly concerning because: (1) they run with the highest system privileges, (2) they process all network traffic passing through the system, and (3) a compromised firewall driver can disable or bypass all network-level security controls. The published proof-of-concept demonstrates denial of service, but the nature of the vulnerability — an integer underflow in a kernel driver processing attacker-controlled network data — could potentially be leveraged for more severe impacts including privilege escalation or arbitrary code execution at the kernel level.
- CVSS v3.1 Score: 7.5 (High)
- CWE: CWE-191 (Integer Underflow — Wrap or Wraparound)
- Attack Vector: Network — crafted IPv6 packet
- Published: June 7, 2026
Which Versions Are Affected?
- Comodo Internet Security — versions with the vulnerable
Inspect.sysfirewall driver
Is It Being Exploited in the Wild?
No active exploitation has been publicly confirmed. The PoC “ComoDoS” demonstrates the denial-of-service aspect of the vulnerability. Given that exploitation requires sending crafted IPv6 packets to the target system, the attack surface is limited to systems with IPv6 enabled and reachable from the attacker — which includes most modern Windows systems with default network configurations.
What Is the Fix?
Update Comodo Internet Security to the latest version that includes the patched Inspect.sys driver. The fix adds proper bounds validation to the IPv6 extension header processing, preventing the integer underflow.
Recommendations
Update Comodo Internet Security. While this is not an emergency-patch item, kernel-level firewall driver vulnerabilities should not be deferred. A compromised firewall driver can disable all network-level security controls on the system.
Verify the updated driver version. After updating, verify that Inspect.sys has been replaced with the patched version. Check the driver file properties in Windows Explorer or via Get-WmiObject Win32_PnPSignedDriver in PowerShell.
Consider IPv6 attack surface reduction. If IPv6 is not required in your environment, disabling it reduces the attack surface for this and future IPv6-related vulnerabilities. However, many modern Windows features and cloud services require IPv6 — test thoroughly before disabling.
References
- NVD: CVE-2026-49494
- GitHub — ComoDoS Proof of Concept
- Vulnerability Intelligence Report — June 8, 2026
This advisory was first covered in the broader Vulnerability Intelligence Report — June 8, 2026.
