OFFSITE.DARK
← Signals

Jun 29, 2026

1 min

Sploitus / Exploitarium

  • nmap
  • ipv6
  • parser
  • exploitarium

news

Nmap IPv6 Extension Header Length Wrap

Hop-by-Hop ext len=1 on 48-byte capture advances payload offset past buffer — wrapped payload_len 4294967288 in harness.

Summary

Hop-by-Hop ext len=1 on 48-byte capture advances payload offset past buffer — wrapped payload_len 4294967288 in harness. This proof-of-concept is one of 30 folders in the Exploitarium collection. OFFSITE.DARK summarizes the upstream README and PoC design; we did not discover or weaponize this flaw.

Key Findings

FindingDetail
Product / targetNmap libnetutil/netutil.cc (ongoing research)
PrimitiveUnsigned wrap in payload length after over-advancing pointer
ImpactMalformed packet represented as huge UDP payload — downstream scan logic corruption risk.

Attack Chain

Craft IPv6 HBH ext → parser offset 56 on 48-byte cap → wrapped len → validator adjusts to 64

Mitigation

Treat as research-grade; validate Nmap updates; filter malformed IPv6 in IDS where possible.

Related Signals

Sources

→ Source