Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable single packet with no auth or interaction (AV:N/AC:L/PR:N/UI:N); impact is sensor crash only, so C:N/I:N/A:H and scope unchanged.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Zeek before 8.0.9 contains a null pointer dereference vulnerability in its Kerberos protocol analyzer that allows unauthenticated remote attackers to crash the sensor by sending a crafted KRB_ERROR message with error-code 25 (KDC_ERR_PREAUTH_REQUIRED) containing a PA-DATA element with padata-type 2, 3, 11, or 19. Attackers can exploit a parser and analyzer state mismatch where proc_padata() dereferences an uninitialized pa_data_element field selected by the wrong parsing arm, triggering a crash via a single UDP or TCP packet to port 88 without any credentials or prior authentication.
AnalysisAI
Denial of service in Zeek (formerly Bro) network security monitor before 8.0.9 lets remote unauthenticated attackers crash the sensor by sending a single crafted Kerberos KRB_ERROR packet. The flaw is a null pointer dereference (CWE-476) in the Kerberos analyzer's proc_padata() routine, reachable over UDP or TCP port 88 with no credentials. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only that Zeek (before 8.0.9) be observing traffic on the target segment with its Kerberos analyzer active (the default) and that the attacker can inject a crafted KRB_ERROR message with error-code 25 (KDC_ERR_PREAUTH_REQUIRED) carrying a PA-DATA element of padata-type 2, 3, 11, or 19 to port 88 (UDP or TCP). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H, base 8.7) is internally consistent with the description: network-reachable, low complexity, no privileges, no user interaction, and a pure availability impact (VA:H) with no confidentiality or integrity loss - i.e., a crash-only DoS, not code execution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with the ability to place traffic on a network segment monitored by Zeek sends a single crafted Kerberos KRB_ERROR packet (error-code 25 with a PA-DATA element of padata-type 2, 3, 11, or 19) to port 88 over UDP or TCP. Zeek's Kerberos analyzer dereferences the uninitialized pa_data_element field and the sensor crashes, dropping monitoring coverage; the packet needs no credentials, no user interaction, and low complexity. … |
| Remediation | Vendor-released patch: 8.0.9 - upgrade Zeek to v8.0.9 or later (release: https://github.com/zeek/zeek/releases/tag/v8.0.9; fix commit c82e3c734893d932e94310aec0dbeb1ffcea169d). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Zeek deployments and document current versions (run zeek --version on each sensor). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
An issue was discovered in zeek version 4.1.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitabl
Denial of service in Zeek network security monitor (versions before 8.0.9) lets unauthenticated remote attackers crash t
In Zeek Network Security Monitor (formerly known as Bro) before 2.6.2, a NULL pointer dereference in the Kerberos (aka K
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42598
GHSA-76hq-67jv-x5j7