{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-58058", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-06-28T00:58:47.763Z", "datePublished": "2026-06-28T01:32:59.336Z", "dateUpdated": "2026-06-29T14:53:48.365Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-06-28T01:32:59.336Z"}, "datePublic": "2026-06-25T00:00:00.000Z", "title": "Nmap - Integer Underflow in IPv6 Extension Header Parsing", "descriptions": [{"lang": "en", "value": "Nmap through 7.99 does not keep the IPv6 extension-header walk within the captured packet in ipv6_get_data_primitive (libnetutil/netutil.cc), so the pointer advances past the buffer and the remaining-length computation underflows to a large value. A scanned target or on-path attacker returning a crafted IPv6 response with a truncated extension header can trigger out-of-bounds reads and a crash during raw IPv6 scans."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Integer Underflow (Wrap or Wraparound)", "cweId": "CWE-191", "type": "CWE"}]}], "affected": [{"vendor": "Nmap", "product": "Nmap", "defaultStatus": "affected", "versions": [{"version": "0", "status": "affected", "versionType": "custom", "lessThanOrEqual": "7.99"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nmap:nmap:*:*:*:*:*:*:*:*", "versionEndIncluding": "7.99"}]}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM"}}], "references": [{"url": "https://github.com/bikini/exploitarium/tree/main/nmap-ipv6-extlen-wrap-poc", "name": "Proof of Concept", "tags": ["exploit", "third-party-advisory"]}, {"url": "https://github.com/nmap/nmap/commit/bb6754e76bb1686315008e1aa1c40202a513fb83", "name": "Fix commit (dev tree)", "tags": ["patch"]}, {"url": "https://nmap.org/changelog.html", "name": "Nmap Change Log", "tags": ["release-notes"]}, {"name": "VulnCheck Advisory: Nmap - Integer Underflow in IPv6 Extension Header Parsing", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/nmap-integer-underflow-in-ipv6-extension-header-parsing"}], "credits": [{"lang": "en", "value": "Himanshu Anand", "type": "finder"}], "x_generator": {"engine": "vulncheck-endgame"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-29T14:49:07.833303Z", "id": "CVE-2026-58058", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-29T14:53:48.365Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-58058", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-29T14:49:07.833303Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-29T14:49:12.726Z"}}], "cna": {"title": "Nmap - Integer Underflow in IPv6 Extension Header Parsing", "credits": [{"lang": "en", "type": "finder", "value": "Himanshu Anand"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "Nmap", "product": "Nmap", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "7.99"}], "defaultStatus": "affected"}], "datePublic": "2026-06-25T00:00:00.000Z", "references": [{"url": "https://github.com/bikini/exploitarium/tree/main/nmap-ipv6-extlen-wrap-poc", "name": "Proof of Concept", "tags": ["exploit", "third-party-advisory"]}, {"url": "https://github.com/nmap/nmap/commit/bb6754e76bb1686315008e1aa1c40202a513fb83", "name": "Fix commit (dev tree)", "tags": ["patch"]}, {"url": "https://nmap.org/changelog.html", "name": "Nmap Change Log", "tags": ["release-notes"]}, {"url": "https://www.vulncheck.com/advisories/nmap-integer-underflow-in-ipv6-extension-header-parsing", "name": "VulnCheck Advisory: Nmap - Integer Underflow in IPv6 Extension Header Parsing", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck-endgame"}, "descriptions": [{"lang": "en", "value": "Nmap through 7.99 does not keep the IPv6 extension-header walk within the captured packet in ipv6_get_data_primitive (libnetutil/netutil.cc), so the pointer advances past the buffer and the remaining-length computation underflows to a large value. A scanned target or on-path attacker returning a crafted IPv6 response with a truncated extension header can trigger out-of-bounds reads and a crash during raw IPv6 scans."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-191", "description": "Integer Underflow (Wrap or Wraparound)"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nmap:nmap:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "7.99"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-06-28T01:32:59.336Z"}}}, "cveMetadata": {"cveId": "CVE-2026-58058", "state": "PUBLISHED", "dateUpdated": "2026-06-29T14:53:48.365Z", "dateReserved": "2026-06-28T00:58:47.763Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-06-28T01:32:59.336Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{}

{"bugzilla": {"description": "nmap: Nmap: Denial of Service via crafted IPv6 response", "id": "2493951", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493951"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-125", "details": ["Nmap through 7.99 does not keep the IPv6 extension-header walk within the captured packet in ipv6_get_data_primitive (libnetutil/netutil.cc), so the pointer advances past the buffer and the remaining-length computation underflows to a large value. A scanned target or on-path attacker returning a crafted IPv6 response with a truncated extension header can trigger out-of-bounds reads and a crash during raw IPv6 scans.", "A flaw was found in Nmap. A remote attacker or a scanned target can send a specially crafted IPv6 response with a truncated extension header. This can lead to an integer underflow, causing out-of-bounds reads and a denial of service (DoS) due to a crash during raw IPv6 scans."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-58058", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "nmap", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Fix deferred", "package_name": "nmap", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "nmap", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "nmap", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "nmap", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-06-28T01:32:59Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-58058\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-58058\nhttps://github.com/bikini/exploitarium/tree/main/nmap-ipv6-extlen-wrap-poc\nhttps://github.com/nmap/nmap/commit/bb6754e76bb1686315008e1aa1c40202a513fb83\nhttps://nmap.org/changelog.html\nhttps://www.vulncheck.com/advisories/nmap-integer-underflow-in-ipv6-extension-header-parsing"], "statement": "Red Hat rates this flaw as Moderate rather than the AI-assigned Important severity. The Aegis AI-Bot rated UI:N (no user interaction), but nmap is a command-line scanning tool that an operator must manually invoke \u2014 initiating a scan is user interaction per the CVSS definition of UI:R. Correcting UI:N to UI:R reduces the CVSS from 7.5 to 6.5, aligning with the upstream CVEORG assessment. The vulnerability requires a scanned target or on-path attacker to return a crafted IPv6 response with a truncated extension header during a raw IPv6 scan.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,7.99]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Nmap", "source": "cna", "vendor": "Nmap"}, "product": "nmap", "vendor": "nmap"}], "created": "2026-06-28T03:30:05.217004+00:00", "updated": "2026-06-30T01:45:03.215571+00:00", "vendors": ["nmap", "nmap$PRODUCT$nmap"]}