🔐 CVE Alert

CVE-2026-60108

HIGH 7.5

Zeek < 8.0.9 Uncontrolled Memory Consumption DoS via FTP Analyzer

CVSS Score
7.5
EPSS Score
0.4%
EPSS Percentile
35th

Zeek before 8.0.9 contains an uncontrolled memory consumption vulnerability in the FTP analyzer that allows unauthenticated remote attackers to cause process termination by sending a crafted FTP control session negotiating AUTH GSSAPI followed by a large ADAT control line. Attackers can exploit the NVT_Analyzer component's lack of a maximum line length check, causing it to continuously double its internal buffer without bounds during base64 decoding of an attacker-controlled ADAT token, resulting in denial of service of the Zeek sensor.

CWE CWE-770
Vendor zeek
Product zeek
Published Jul 9, 2026
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for zeek zeek

Be the first to know when new high vulnerabilities affecting zeek zeek are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Affected Versions

zeek / zeek
0 < 8.0.9

References

NVD ↗ CVE.org ↗ EPSS Data ↗
github.com: https://github.com/zeek/zeek/releases/tag/v8.0.9 github.com: https://github.com/zeek/zeek/commit/93ff6950a90cfa9d00c1062cde429313a0402a01 vulncheck.com: https://www.vulncheck.com/advisories/zeek-uncontrolled-memory-consumption-dos-via-ftp-analyzer

Credits

Jaime Sánchez Sánchez