Skip to main content

Zeek CVE-2026-60109

| EUVDEUVD-2026-42598 HIGH
NULL Pointer Dereference (CWE-476)
2026-07-09 VulnCheck GHSA-76hq-67jv-x5j7
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Network-reachable single packet with no auth or interaction (AV:N/AC:L/PR:N/UI:N); impact is sensor crash only, so C:N/I:N/A:H and scope unchanged.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 09, 2026 - 14:50 vuln.today

DescriptionCVE.org

Zeek before 8.0.9 contains a null pointer dereference vulnerability in its Kerberos protocol analyzer that allows unauthenticated remote attackers to crash the sensor by sending a crafted KRB_ERROR message with error-code 25 (KDC_ERR_PREAUTH_REQUIRED) containing a PA-DATA element with padata-type 2, 3, 11, or 19. Attackers can exploit a parser and analyzer state mismatch where proc_padata() dereferences an uninitialized pa_data_element field selected by the wrong parsing arm, triggering a crash via a single UDP or TCP packet to port 88 without any credentials or prior authentication.

AnalysisAI

Denial of service in Zeek (formerly Bro) network security monitor before 8.0.9 lets remote unauthenticated attackers crash the sensor by sending a single crafted Kerberos KRB_ERROR packet. The flaw is a null pointer dereference (CWE-476) in the Kerberos analyzer's proc_padata() routine, reachable over UDP or TCP port 88 with no credentials. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach Zeek-monitored network segment
Delivery
Craft KRB_ERROR err-code 25 with PA-DATA type 2/3/11/19
Exploit
Send single packet to port 88 (UDP/TCP)
Execution
Kerberos analyzer dereferences uninitialized pa_data_element
Persist
Sensor process crashes
Impact
Monitoring blind spot / DoS

Vulnerability AssessmentAI

Exploitation Exploitation requires only that Zeek (before 8.0.9) be observing traffic on the target segment with its Kerberos analyzer active (the default) and that the attacker can inject a crafted KRB_ERROR message with error-code 25 (KDC_ERR_PREAUTH_REQUIRED) carrying a PA-DATA element of padata-type 2, 3, 11, or 19 to port 88 (UDP or TCP). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H, base 8.7) is internally consistent with the description: network-reachable, low complexity, no privileges, no user interaction, and a pure availability impact (VA:H) with no confidentiality or integrity loss - i.e., a crash-only DoS, not code execution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with the ability to place traffic on a network segment monitored by Zeek sends a single crafted Kerberos KRB_ERROR packet (error-code 25 with a PA-DATA element of padata-type 2, 3, 11, or 19) to port 88 over UDP or TCP. Zeek's Kerberos analyzer dereferences the uninitialized pa_data_element field and the sensor crashes, dropping monitoring coverage; the packet needs no credentials, no user interaction, and low complexity. …
Remediation Vendor-released patch: 8.0.9 - upgrade Zeek to v8.0.9 or later (release: https://github.com/zeek/zeek/releases/tag/v8.0.9; fix commit c82e3c734893d932e94310aec0dbeb1ffcea169d). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Zeek deployments and document current versions (run zeek --version on each sensor). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-60109 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy