Comodo Internet Security Zero-Day Can Crash Windows Systems Through IPv6 Packet Handling Flaw

A newly disclosed zero-day vulnerability in Comodo Internet Security can allow a remote attacker to crash a Windows system running the product’s firewall driver. Security researcher Marcus Hutchins, also known as MalwareTech, published the technical details after saying multiple attempts to contact Comodo received no response.

The issue has been nicknamed ComoDoS because the most practical impact is a denial-of-service attack. According to the research, a crafted IPv6 packet can trigger a kernel crash in the Inspect.sys driver used by Comodo’s firewall component. That means the affected machine can show a Blue Screen of Death even if firewall rules appear to block incoming traffic.

The vulnerability matters because firewall drivers run at a sensitive level of the operating system. When a flaw exists in packet parsing code at that level, the impact can reach the Windows kernel before normal security rules get a chance to decide whether the traffic should pass.

What Comodo Product Is Affected?

The reported flaw affects Comodo Internet Security’s firewall driver, Inspect.sys. Comodo describes Comodo Internet Security 2025 as a security suite that combines antivirus, firewall, real-time scanning, and application sandboxing for Windows PCs.

In this case, the problem sits in the network inspection path, not in the antivirus scanner. The firewall driver needs to parse network traffic before it can apply rules. Hutchins says that behavior lets the malformed IPv6 traffic reach vulnerable parsing logic even when the user has configured strict firewall rules.

No official Comodo patch or advisory was visible at publication. Users and administrators should therefore treat the issue as unresolved until Comodo publishes a fixed version or other formal guidance.

How the ComoDoS Vulnerability Works

The flaw involves how Inspect.sys handles IPv6 extension headers. IPv6 packets can include extra headers between the main IPv6 header and the final upper-layer protocol, such as TCP or UDP. The IETF RFC 9098 explains that this structure can make IPv6 traffic harder for firewalls and other middleboxes to inspect.

Hutchins’ analysis says the vulnerable Comodo parser fails to properly validate a length value while walking through those extension headers. Under certain conditions, the value can wrap around and become extremely large. That incorrect size then causes unsafe kernel behavior and crashes the system.

The researcher also found related out-of-bounds read and write paths. However, the public analysis says remote code execution does not look practical at this stage because the reachable write path is likely to crash the system rather than give an attacker stable control.

Key Details At A Glance

Issue name	ComoDoS
Affected component	Comodo Internet Security firewall driver, Inspect.sys
Main impact	Remote Windows crash or Blue Screen of Death
Attack vector	Malformed IPv6 traffic
Patch status	No official patch confirmed at publication
Public exploit code	Proof-of-concept details have been published by the researcher
Likely RCE risk	Low based on the current public analysis

Why Firewall Rules May Not Stop The Crash

The most concerning part of the report is that the crash can happen before firewall policy enforcement. A firewall must understand enough of a packet to decide whether it should be blocked, allowed, or inspected further. That parsing stage creates risk when the parser itself contains a bug.

This is also why IPv6 extension headers have long created security challenges. The IPv6 extension headers model can force security products to process a chain of headers before finding the final protocol data needed for filtering.

For normal users, the practical result is simple: a vulnerable system could crash from network traffic even when the firewall looks locked down. For businesses, the concern grows if Comodo Internet Security runs on workstations or systems exposed to IPv6 traffic from untrusted networks.

What Users And Admins Can Do Now

Until Comodo releases a fix, affected users should reduce exposure where possible. The safest approach depends on the environment, because blocking all IPv6 traffic can break legitimate network services in some organizations.

• Check whether Comodo Internet Security or Comodo Firewall is installed on Windows systems.
• Monitor Comodo’s update channels for a fixed build or advisory.
• Review whether IPv6 needs to be exposed to untrusted networks.
• Use upstream firewall, router, or gateway controls to filter suspicious IPv6 extension-header traffic where practical.
• Watch for unexplained Windows crashes on systems running Inspect.sys.
• Consider temporary risk reduction steps for critical machines until a vendor patch is available.

Administrators should avoid relying only on host-level firewall rules for mitigation. The reported flaw sits in the packet parsing path, so network-level filtering before traffic reaches the endpoint may offer stronger short-term protection.

Disclosure Raises Patch Response Questions

Hutchins said he sent Comodo a root-cause analysis, suggested fixes, and proof-of-concept material, but did not receive acknowledgment before public disclosure. The technical write-up frames the issue as a zero-day because no patch was available when the details went public.

The disclosure creates a difficult situation for users. Public details can help defenders understand the bug and create mitigations, but they can also help attackers reproduce the crash. That makes a fast vendor response important.

Comodo’s own marketing for Internet Security emphasizes its firewall and layered protection features. For now, users should verify update status carefully and watch for a formal Comodo response.

FAQ