Description
Nmap through 7.99 does not keep the IPv6 extension-header walk within the captured packet in ipv6_get_data_primitive (libnetutil/netutil.cc), so the pointer advances past the buffer and the remaining-length computation underflows to a large value. A scanned target or on-path attacker returning a crafted IPv6 response with a truncated extension header can trigger out-of-bounds reads and a crash during raw IPv6 scans.
Published: 2026-06-28
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The reported flaw is an integer underflow in the IPv6 extension-header parsing routine of Nmap. When a scanner processes a crafted IPv6 response that contains a truncated extension header, the parser calculates a remaining length that underflows, resulting in an out‑of‑bounds read before the program crashes. This vulnerability does not grant code execution or system compromise; at worst it causes the scanning tool to crash, denying its availability. The weakness corresponds to CWE‑191 (Integer Underflow or Wraparound).

Affected Systems

The weakness is present in the Nmap network mapping tool from the Nmap project. Vulnerable releases include all Nmap versions 7.99 and earlier. No other vendors or product lines are impacted according to the available data.

Risk and Exploitability

The CVSS score for this issue is 6.9, indicating a moderate severity and a likelihood that an unauthenticated attacker can affect the stability of the scanning host. EPSS is not available, so the current probability of exploitation cannot be determined, and the flaw is not listed in the CISA KEV catalog. The attack vector is remote, requiring an attacker to send a specially crafted IPv6 packet to a host that is performing a raw IPv6 scan. If such a packet is processed, the scanner will crash, interrupting the scan and potentially impacting operations in environments that rely on continuous vulnerability assessment. No privilege escalation or confidentiality compromise is possible with this flaw.

Generated by OpenCVE AI on June 28, 2026 at 03:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nmap to a patched release, such as 7.100 or later, which includes the fix from commit bb6754e.
  • If you must remain on an older version, avoid using the raw IPv6 scan option (-6) until the software can be updated.
  • Restrict inbound IPv6 traffic to the scanning host by implementing firewall rules that block suspicious IPv6 packets from untrusted networks.

Generated by OpenCVE AI on June 28, 2026 at 03:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Description Nmap through 7.99 does not keep the IPv6 extension-header walk within the captured packet in ipv6_get_data_primitive (libnetutil/netutil.cc), so the pointer advances past the buffer and the remaining-length computation underflows to a large value. A scanned target or on-path attacker returning a crafted IPv6 response with a truncated extension header can trigger out-of-bounds reads and a crash during raw IPv6 scans.
Title Nmap - Integer Underflow in IPv6 Extension Header Parsing
First Time appeared Nmap
Nmap nmap
Weaknesses CWE-191
CPEs cpe:2.3:a:nmap:nmap:*:*:*:*:*:*:*:*
Vendors & Products Nmap
Nmap nmap
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Nmap Nmap
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-28T01:32:59.336Z

Reserved: 2026-06-28T00:58:47.763Z

Link: CVE-2026-58058

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T03:30:05Z

Weaknesses
  • CWE-191

    Integer Underflow (Wrap or Wraparound)