CVE-2026-58058 | THREATINT

Description

Nmap through 7.99 does not keep the IPv6 extension-header walk within the captured packet in ipv6_get_data_primitive (libnetutil/netutil.cc), so the pointer advances past the buffer and the remaining-length computation underflows to a large value. A scanned target or on-path attacker returning a crafted IPv6 response with a truncated extension header can trigger out-of-bounds reads and a crash during raw IPv6 scans.

PUBLISHED Reserved 2026-06-28 | Published 2026-06-28 | Updated 2026-06-28 | Assigner VulnCheck

MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

Problem types

Integer Underflow (Wrap or Wraparound)

Product status

Default status

affected

Any version

affected

Credits

Himanshu Anand finder

References

github.com/...ploitarium/tree/main/nmap-ipv6-extlen-wrap-poc (Proof of Concept) exploit third-party-advisory

github.com/...ommit/bb6754e76bb1686315008e1aa1c40202a513fb83 (Fix commit (dev tree)) patch

nmap.org/changelog.html (Nmap Change Log) release-notes

www.vulncheck.com/...erflow-in-ipv6-extension-header-parsing (VulnCheck Advisory: Nmap - Integer Underflow in IPv6 Extension Header Parsing) third-party-advisory

cve.org (CVE-2026-58058)

nvd.nist.gov (CVE-2026-58058)

Download JSON