CVE-2026-58058

MEDIUM 6.5

Nmap - Integer Underflow in IPv6 Extension Header Parsing

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

Nmap through 7.99 does not keep the IPv6 extension-header walk within the captured packet in ipv6_get_data_primitive (libnetutil/netutil.cc), so the pointer advances past the buffer and the remaining-length computation underflows to a large value. A scanned target or on-path attacker returning a crafted IPv6 response with a truncated extension header can trigger out-of-bounds reads and a crash during raw IPv6 scans.

CWE	CWE-191
Vendor	nmap
Product	nmap
Published	Jun 28, 2026

Stay Ahead of the Next One

Get instant alerts for nmap nmap

Be the first to know when new medium vulnerabilities affecting nmap nmap are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

Low

Affected Versions

Nmap / Nmap

0 ≤ 7.99

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/bikini/exploitarium/tree/main/nmap-ipv6-extlen-wrap-poc github.com: https://github.com/nmap/nmap/commit/bb6754e76bb1686315008e1aa1c40202a513fb83 nmap.org: https://nmap.org/changelog.html vulncheck.com: https://www.vulncheck.com/advisories/nmap-integer-underflow-in-ipv6-extension-header-parsing

Credits

Himanshu Anand