CVE-2026-58058
published 2026-06-28CVE-2026-58058: Nmap through 7.99 does not keep the IPv6 extension-header walk within the captured packet in ipv6_get_data_primitive (libnetutil/netutil.cc), so the pointer…
PriorityP434medium6.5CVSS 3.1
AVNACLPRNUINSUCLINAL
EPSS
0.28%
19.5th percentile
Nmap through 7.99 does not keep the IPv6 extension-header walk within the captured packet in ipv6_get_data_primitive (libnetutil/netutil.cc), so the pointer advances past the buffer and the remaining-length computation underflows to a large value. A scanned target or on-path attacker returning a crafted IPv6 response with a truncated extension header can trigger out-of-bounds reads and a crash during raw IPv6 scans.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nmap | nmap | <= 7.99 | — |
| nmap | nmap | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Nmap up to 7.99 libnetutil/netutil.cc integer underflow (EUVD-2026-39978)
vuldb·2026-06-28·CVSS 6.5
CVE-2026-58058 [MEDIUM] Nmap up to 7.99 libnetutil/netutil.cc integer underflow (EUVD-2026-39978)
A vulnerability was found in Nmap up to 7.99. It has been classified as critical. Affected is an unknown function of the file libnetutil/netutil.cc. Performing a manipulation results in integer underflow.
This vulnerability is known as CVE-2026-58058. Remote exploitation of the attack is possible. Furthermore, an exploit is available.
Upgrading the affected component is recommended.
GHSA
Nmap through 7.99 does not keep the IPv6 extension-header walk within the captured packet in ipv6_get_data_primitive (libnetutil/netutil.cc), so the pointer advances past the buffer and the remaining-
ghsa_unreviewed·2026-06-28
CVE-2026-58058 [MEDIUM] CWE-191 Nmap through 7.99 does not keep the IPv6 extension-header walk within the captured packet in ipv6_get_data_primitive (libnetutil/netutil.cc), so the pointer advances past the buffer and the remaining-
Nmap through 7.99 does not keep the IPv6 extension-header walk within the captured packet in ipv6_get_data_primitive (libnetutil/netutil.cc), so the pointer advances past the buffer and the remaining-length computation underflows to a large value. A scanned target or on-path attacker returning a crafted IPv6 response with a truncated extension header can trigger out-of-bounds reads and a crash during raw IPv6 scans.
Red Hat
nmap: Nmap: Denial of Service via crafted IPv6 response
vendor_redhat·2026-06-28·CVSS 6.5
CVE-2026-58058 [MEDIUM] CWE-125 nmap: Nmap: Denial of Service via crafted IPv6 response
nmap: Nmap: Denial of Service via crafted IPv6 response
Nmap through 7.99 does not keep the IPv6 extension-header walk within the captured packet in ipv6_get_data_primitive (libnetutil/netutil.cc), so the pointer advances past the buffer and the remaining-length computation underflows to a large value. A scanned target or on-path attacker returning a crafted IPv6 response with a truncated extension header can trigger out-of-bounds reads and a crash during raw IPv6 scans.
A flaw was found in Nmap. A remote attacker or a scanned target can send a specially crafted IPv6 response with a truncated extension header. This can lead to an integer underflow, causing out-of-bounds reads and a denial of service (DoS) due to a crash during raw IPv6 scans.
Statement: Red Hat rates this flaw as Modera
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-58058 nmap: Nmap: Denial of Service via crafted IPv6 response [fedora-all]
bugzilla·2026-06-29·CVSS 6.5
CVE-2026-58058 [MEDIUM] CVE-2026-58058 nmap: Nmap: Denial of Service via crafted IPv6 response [fedora-all]
CVE-2026-58058 nmap: Nmap: Denial of Service via crafted IPv6 response [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Nmap through 7.99 does not keep the IPv6 extension-header walk within the captured packet in ipv6_get_data_primitive (libnetutil/netutil.cc), so the pointer advances past the buffer and the remaining-length computation underflows to a large value. A scanned target or on-path attacker returning a crafted IPv6 response with a truncated extension header can trigger out-of-bounds reads and a crash during raw IPv6 scans.
Bugzilla
CVE-2026-58058 nmap: Nmap: Denial of Service via crafted IPv6 response
bugzilla·2026-06-28·CVSS 6.5
CVE-2026-58058 [MEDIUM] CVE-2026-58058 nmap: Nmap: Denial of Service via crafted IPv6 response
CVE-2026-58058 nmap: Nmap: Denial of Service via crafted IPv6 response
Nmap through 7.99 does not keep the IPv6 extension-header walk within the captured packet in ipv6_get_data_primitive (libnetutil/netutil.cc), so the pointer advances past the buffer and the remaining-length computation underflows to a large value. A scanned target or on-path attacker returning a crafted IPv6 response with a truncated extension header can trigger out-of-bounds reads and a crash during raw IPv6 scans.
Bugzilla
CVE-2025-58058 cri-o1.29: github.com/ulikunitz/xz leaks memory [fedora-42]
bugzilla·2025-08-28·CVSS 5.3
CVE-2025-58058 [MEDIUM] CVE-2025-58058 cri-o1.29: github.com/ulikunitz/xz leaks memory [fedora-42]
CVE-2025-58058 cri-o1.29: github.com/ulikunitz/xz leaks memory [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from
Bugzilla
CVE-2025-58058 source-to-image: github.com/ulikunitz/xz leaks memory [fedora-42]
bugzilla·2025-08-28·CVSS 5.3
CVE-2025-58058 [MEDIUM] CVE-2025-58058 source-to-image: github.com/ulikunitz/xz leaks memory [fedora-42]
CVE-2025-58058 source-to-image: github.com/ulikunitz/xz leaks memory [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports
Bugzilla
CVE-2025-58058 dnsx: github.com/ulikunitz/xz leaks memory [fedora-42]
bugzilla·2025-08-28·CVSS 5.3
CVE-2025-58058 [MEDIUM] CVE-2025-58058 dnsx: github.com/ulikunitz/xz leaks memory [fedora-42]
CVE-2025-58058 dnsx: github.com/ulikunitz/xz leaks memory [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from relea
Bugzilla
CVE-2025-58058 transifex-client: github.com/ulikunitz/xz leaks memory [fedora-42]
bugzilla·2025-08-28·CVSS 5.3
CVE-2025-58058 [MEDIUM] CVE-2025-58058 transifex-client: github.com/ulikunitz/xz leaks memory [fedora-42]
CVE-2025-58058 transifex-client: github.com/ulikunitz/xz leaks memory [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug report
Bugzilla
CVE-2025-58058 osbuild-composer: github.com/ulikunitz/xz leaks memory [fedora-42]
bugzilla·2025-08-28·CVSS 5.3
CVE-2025-58058 [MEDIUM] CVE-2025-58058 osbuild-composer: github.com/ulikunitz/xz leaks memory [fedora-42]
CVE-2025-58058 osbuild-composer: github.com/ulikunitz/xz leaks memory [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug report
Bugzilla
CVE-2025-58058 google-osconfig-agent: github.com/ulikunitz/xz leaks memory [fedora-42]
bugzilla·2025-08-28·CVSS 5.3
CVE-2025-58058 [MEDIUM] CVE-2025-58058 google-osconfig-agent: github.com/ulikunitz/xz leaks memory [fedora-42]
CVE-2025-58058 google-osconfig-agent: github.com/ulikunitz/xz leaks memory [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug r
Bugzilla
CVE-2025-58058 golang-github-facebookincubator-go2chef: github.com/ulikunitz/xz leaks memory [fedora-42]
bugzilla·2025-08-28·CVSS 5.3
CVE-2025-58058 [MEDIUM] CVE-2025-58058 golang-github-facebookincubator-go2chef: github.com/ulikunitz/xz leaks memory [fedora-42]
CVE-2025-58058 golang-github-facebookincubator-go2chef: github.com/ulikunitz/xz leaks memory [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy
Bugzilla
CVE-2025-58058 golang-github-ulikunitz-xz: github.com/ulikunitz/xz leaks memory [fedora-42]
bugzilla·2025-08-28·CVSS 5.3
CVE-2025-58058 [MEDIUM] CVE-2025-58058 golang-github-ulikunitz-xz: github.com/ulikunitz/xz leaks memory [fedora-42]
CVE-2025-58058 golang-github-ulikunitz-xz: github.com/ulikunitz/xz leaks memory [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all
Bugzilla
CVE-2025-58058 kata-containers: github.com/ulikunitz/xz leaks memory [fedora-42]
bugzilla·2025-08-28·CVSS 5.3
CVE-2025-58058 [MEDIUM] CVE-2025-58058 kata-containers: github.com/ulikunitz/xz leaks memory [fedora-42]
CVE-2025-58058 kata-containers: github.com/ulikunitz/xz leaks memory [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports
Bugzilla
CVE-2025-58058 cri-o: github.com/ulikunitz/xz leaks memory [fedora-42]
bugzilla·2025-08-28·CVSS 5.3
CVE-2025-58058 [MEDIUM] CVE-2025-58058 cri-o: github.com/ulikunitz/xz leaks memory [fedora-42]
CVE-2025-58058 cri-o: github.com/ulikunitz/xz leaks memory [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from rele
Bugzilla
CVE-2025-58058 asnmap: github.com/ulikunitz/xz leaks memory [fedora-42]
bugzilla·2025-08-28·CVSS 5.3
CVE-2025-58058 [MEDIUM] CVE-2025-58058 asnmap: github.com/ulikunitz/xz leaks memory [fedora-42]
CVE-2025-58058 asnmap: github.com/ulikunitz/xz leaks memory [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from rel
Bugzilla
CVE-2025-58058 buildah: github.com/ulikunitz/xz leaks memory [fedora-42]
bugzilla·2025-08-28·CVSS 5.3
CVE-2025-58058 [MEDIUM] CVE-2025-58058 buildah: github.com/ulikunitz/xz leaks memory [fedora-42]
CVE-2025-58058 buildah: github.com/ulikunitz/xz leaks memory [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from re
Bugzilla
CVE-2025-58058 cri-o1.32: github.com/ulikunitz/xz leaks memory [fedora-42]
bugzilla·2025-08-28·CVSS 5.3
CVE-2025-58058 [MEDIUM] CVE-2025-58058 cri-o1.32: github.com/ulikunitz/xz leaks memory [fedora-42]
CVE-2025-58058 cri-o1.32: github.com/ulikunitz/xz leaks memory [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
govulcheck confirmed
---
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to
Bugzilla
CVE-2025-58058 image-builder: github.com/ulikunitz/xz leaks memory [fedora-42]
bugzilla·2025-08-28·CVSS 5.3
CVE-2025-58058 [MEDIUM] CVE-2025-58058 image-builder: github.com/ulikunitz/xz leaks memory [fedora-42]
CVE-2025-58058 image-builder: github.com/ulikunitz/xz leaks memory [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports f
Bugzilla
CVE-2025-58058 cri-o1.30: github.com/ulikunitz/xz leaks memory [fedora-42]
bugzilla·2025-08-28·CVSS 5.3
CVE-2025-58058 [MEDIUM] CVE-2025-58058 cri-o1.30: github.com/ulikunitz/xz leaks memory [fedora-42]
CVE-2025-58058 cri-o1.30: github.com/ulikunitz/xz leaks memory [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from
Bugzilla
CVE-2025-58058 cri-o1.31: github.com/ulikunitz/xz leaks memory [fedora-42]
bugzilla·2025-08-28·CVSS 5.3
CVE-2025-58058 [MEDIUM] CVE-2025-58058 cri-o1.31: github.com/ulikunitz/xz leaks memory [fedora-42]
CVE-2025-58058 cri-o1.31: github.com/ulikunitz/xz leaks memory [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from
Bugzilla
CVE-2025-58058 golang-github-projectdiscovery-chaos-client: github.com/ulikunitz/xz leaks memory [fedora-42]
bugzilla·2025-08-28·CVSS 5.3
CVE-2025-58058 [MEDIUM] CVE-2025-58058 golang-github-projectdiscovery-chaos-client: github.com/ulikunitz/xz leaks memory [fedora-42]
CVE-2025-58058 golang-github-projectdiscovery-chaos-client: github.com/ulikunitz/xz leaks memory [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's pol
2026-06-28
Published