Xcitium Client Security (XCS) before 13.8.2.10019 and Comodo Internet Security (CIS) through 12.3.4.8162 contain an integer underflow in the Inspect.sys firewall driver that allows remote unauthenticated attackers to crash the system by sending a crafted IPv6 packet. The packet’s declared payload length is smaller than the sum of its extension‑header lengths, causing the unsigned 64‑bit payload‑length value to underflow to a near‑maximal integer. This underflow triggers an out‑of‑bounds read and an oversized memcpy in the Windows kernel at DISPATCH_LEVEL, resulting in a blue screen of death even on hosts with all ports blocked.

The vulnerability exists in the Inspect.sys component of Comodo Internet Security and in Xcitium Client Security prior to version 13.8.2.10019. Affected Comodo Internet Security releases include versions up to 12.3.4.8162. The fix was scheduled for release in Q3 2026. Until that time any installation of these products is compromised.

Based on the CVSS score of 8.7, this flaw is classified as High severity. The EPSS metric of less than 1% indicates that the probability of exploitation in the wild is currently low, and the vulnerability is not yet listed in CISA’s KEV catalog. Attacks would involve sending a single malicious IPv6 packet with a declared payload length smaller than the sum of the extension‑header lengths to a host that processes IPv6 traffic. The underflow triggers an out‑of‑bounds read and oversized memcpy at DISPATCH_LEVEL, causing the system to BSOD. Because the attack does not require authentication and can target any host with the vulnerable driver, the risk is substantial for exposed systems, particularly those that accept inbound IPv6 traffic.