Comodo Internet Security's firewall driver Inspect.sys contains an integer underflow in its IPv6 packet parser. The parser decrements an unsigned 64-bit payload-length value (taken from the IPv6 fixed header's payload length field) by the size of each IPv6 extension header without validating it, so a packet whose declared payload length is smaller than the sum of its extension-header lengths underflows the value to a near-maximal 64-bit integer. Because IPv6 parsing occurs before firewall rule enforcement, a remote, unauthenticated attacker can send a single crafted IPv6 packet - even to a host with all ports blocked - to trigger an out-of-bounds read (and, on a separate code path, an oversized memcpy) in the Windows kernel at DISPATCH_LEVEL, crashing the system (BSOD).
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
CVE-2026-49494 exposes a critical integer underflow vulnerability in Comodo Internet Security's Inspect.sys firewall driver, specifically within its IPv6 packet parsing logic. The vulnerability occurs when the parser decrements an unsigned 64-bit payload-length value without validating that the declared payload length exceeds the cumulative size of IPv6 extension headers. Maliciously crafted packets with undersized payload declarations trigger integer underflow, wrapping the value to near-maximal 64-bit integers. This affects organizations running Comodo Internet Security across Windows endpoints, where the firewall driver operates at a privileged kernel level. Because this parsing occurs before firewall rule evaluation, successful exploitation could allow attackers to bypass security controls entirely, making this a high-severity issue despite its CVSS score of 7.5.
While CVE-2026-49494 does not currently map to specific MITRE ATT&CK techniques, Casky's 754 security skills—powered by Claude AI's extended reasoning capabilities—would detect anomalous IPv6 traffic patterns and packet construction indicators associated with exploitation attempts. Practitioners using Casky would observe findings related to malformed IPv6 header structures, suspicious payload-length declarations inconsistent with actual packet composition, and kernel-level firewall driver behaviors suggesting integer arithmetic anomalies. These detection patterns would surface through network traffic analysis and system behavior monitoring, enabling security teams to identify attack attempts before kernel-mode bypass occurs. The absence of current public exploit code underscores the importance of proactive threat hunting using advanced reasoning capabilities to identify attack precursors.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-49494. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation