Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network vector because exploit is delivered via a crafted IPv6 response; PR:N since no privileges on the Nmap host are needed; no integrity impact; low C and A reflecting OOB read and process crash only.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Nmap through 7.99 does not keep the IPv6 extension-header walk within the captured packet in ipv6_get_data_primitive (libnetutil/netutil.cc), so the pointer advances past the buffer and the remaining-length computation underflows to a large value. A scanned target or on-path attacker returning a crafted IPv6 response with a truncated extension header can trigger out-of-bounds reads and a crash during raw IPv6 scans.
AnalysisAI
Out-of-bounds reads and a process crash in Nmap through 7.99 can be triggered remotely by any host that is being scanned, or by an on-path attacker, via a crafted IPv6 packet with a truncated extension header. The root cause is an integer underflow in the ipv6_get_data_primitive function (libnetutil/netutil.cc) where an insufficiently strict bounds check allows the extension-header walk pointer to advance past the captured packet buffer, causing the remaining-length subtraction to wraparound to a very large value. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the victim machine be actively running Nmap in a raw IPv6 scan mode (any mode that processes received IPv6 extension headers via `ipv6_get_data_primitive`, such as `-sS`, `-sU`, `-sN`, or similar scan types combined with `-6`). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 6.9 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L) correctly captures that this is a network-reachable, unauthenticated, low-complexity flaw with limited confidentiality and availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A security engineer runs an Nmap raw IPv6 scan (`nmap -6 -sS`) against a target IP range that includes a host controlled by a threat actor; the malicious host returns a specially crafted IPv6 response containing a truncated extension header, triggering the integer underflow in `ipv6_get_data_primitive`. The Nmap process reads out-of-bounds memory, potentially leaking fragments of process memory, then crashes - aborting the scan. … |
| Remediation | Apply the upstream fix by building Nmap from the patched source incorporating commit bb6754e76bb1686315008e1aa1c40202a513fb83 (https://github.com/nmap/nmap/commit/bb6754e76bb1686315008e1aa1c40202a513fb83); a specific tagged release version incorporating this fix was not independently confirmed from the available data, so monitor https://nmap.org/changelog.html for the next published release and upgrade once it appears. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-191 – Integer Underflow
View allSame technique Denial Of Service
View allVendor StatusVendor
Debian
Bug #1140916| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 7.91+dfsg1+really7.80+dfsg1-2 | - |
| bookworm | vulnerable | 7.93+dfsg1-1 | - |
| trixie | vulnerable | 7.95+dfsg-3 | - |
| forky, sid | vulnerable | 7.99+dfsg-1 | - |
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39978
GHSA-wxvj-hc4r-fq45