Skip to main content

Nmap EUVDEUVD-2026-39978

| CVE-2026-58058 MEDIUM
Integer Underflow (CWE-191)
2026-06-28 VulnCheck GHSA-wxvj-hc4r-fq45
6.9
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network vector because exploit is delivered via a crafted IPv6 response; PR:N since no privileges on the Nmap host are needed; no integrity impact; low C and A reflecting OOB read and process crash only.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 28, 2026 - 02:32 vuln.today
Analysis Generated
Jun 28, 2026 - 02:32 vuln.today
CVSS changed
Jun 28, 2026 - 02:22 NVD
6.5 (MEDIUM) 6.9 (MEDIUM)

DescriptionCVE.org

Nmap through 7.99 does not keep the IPv6 extension-header walk within the captured packet in ipv6_get_data_primitive (libnetutil/netutil.cc), so the pointer advances past the buffer and the remaining-length computation underflows to a large value. A scanned target or on-path attacker returning a crafted IPv6 response with a truncated extension header can trigger out-of-bounds reads and a crash during raw IPv6 scans.

AnalysisAI

Out-of-bounds reads and a process crash in Nmap through 7.99 can be triggered remotely by any host that is being scanned, or by an on-path attacker, via a crafted IPv6 packet with a truncated extension header. The root cause is an integer underflow in the ipv6_get_data_primitive function (libnetutil/netutil.cc) where an insufficiently strict bounds check allows the extension-header walk pointer to advance past the captured packet buffer, causing the remaining-length subtraction to wraparound to a very large value. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Nmap initiates raw IPv6 scan toward target
Delivery
Attacker controls scan target or intercepts response path
Exploit
Attacker returns crafted IPv6 packet with truncated extension header
Install
ipv6_get_data_primitive reads HEL byte without validating full 8-byte header fits in buffer
C2
Walk pointer advances past captured packet end
Execute
Unsigned remaining-length underflows to large value
Impact
Out-of-bounds reads and Nmap process crash

Vulnerability AssessmentAI

Exploitation Exploitation requires that the victim machine be actively running Nmap in a raw IPv6 scan mode (any mode that processes received IPv6 extension headers via `ipv6_get_data_primitive`, such as `-sS`, `-sU`, `-sN`, or similar scan types combined with `-6`). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 6.9 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L) correctly captures that this is a network-reachable, unauthenticated, low-complexity flaw with limited confidentiality and availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A security engineer runs an Nmap raw IPv6 scan (`nmap -6 -sS`) against a target IP range that includes a host controlled by a threat actor; the malicious host returns a specially crafted IPv6 response containing a truncated extension header, triggering the integer underflow in `ipv6_get_data_primitive`. The Nmap process reads out-of-bounds memory, potentially leaking fragments of process memory, then crashes - aborting the scan. …
Remediation Apply the upstream fix by building Nmap from the patched source incorporating commit bb6754e76bb1686315008e1aa1c40202a513fb83 (https://github.com/nmap/nmap/commit/bb6754e76bb1686315008e1aa1c40202a513fb83); a specific tagged release version incorporating this fix was not independently confirmed from the available data, so monitor https://nmap.org/changelog.html for the next published release and upgrade once it appears. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Debian

Bug #1140916
nmap
Release Status Fixed Version Urgency
bullseye vulnerable 7.91+dfsg1+really7.80+dfsg1-2 -
bookworm vulnerable 7.93+dfsg1-1 -
trixie vulnerable 7.95+dfsg-3 -
forky, sid vulnerable 7.99+dfsg-1 -
(unstable) fixed (unfixed) -

Share

EUVD-2026-39978 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy