Nmap
Monthly
Out-of-bounds reads and a process crash in Nmap through 7.99 can be triggered remotely by any host that is being scanned, or by an on-path attacker, via a crafted IPv6 packet with a truncated extension header. The root cause is an integer underflow in the `ipv6_get_data_primitive` function (libnetutil/netutil.cc) where an insufficiently strict bounds check allows the extension-header walk pointer to advance past the captured packet buffer, causing the remaining-length subtraction to wraparound to a very large value. A publicly available exploit proof-of-concept exists; this vulnerability is not currently listed in the CISA KEV catalog.
Out-of-bounds reads and a process crash in Nmap through 7.99 can be triggered remotely by any host that is being scanned, or by an on-path attacker, via a crafted IPv6 packet with a truncated extension header. The root cause is an integer underflow in the `ipv6_get_data_primitive` function (libnetutil/netutil.cc) where an insufficiently strict bounds check allows the extension-header walk pointer to advance past the captured packet buffer, causing the remaining-length subtraction to wraparound to a very large value. A publicly available exploit proof-of-concept exists; this vulnerability is not currently listed in the CISA KEV catalog.