CVE-2026-60108
Zeek < 8.0.9 Uncontrolled Memory Consumption DoS via FTP Analyzer
CVSS Score
7.5
EPSS Score
0.4%
EPSS Percentile
35th
Zeek before 8.0.9 contains an uncontrolled memory consumption vulnerability in the FTP analyzer that allows unauthenticated remote attackers to cause process termination by sending a crafted FTP control session negotiating AUTH GSSAPI followed by a large ADAT control line. Attackers can exploit the NVT_Analyzer component's lack of a maximum line length check, causing it to continuously double its internal buffer without bounds during base64 decoding of an attacker-controlled ADAT token, resulting in denial of service of the Zeek sensor.
| CWE | CWE-770 |
| Vendor | zeek |
| Product | zeek |
| Published | Jul 9, 2026 |
| Last Updated | Jul 14, 2026 |
Stay Ahead of the Next One
Get instant alerts for zeek zeek
Be the first to know when new high vulnerabilities affecting zeek zeek are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Affected Versions
zeek / zeek
0 < 8.0.9
References
Credits
Jaime Sánchez Sánchez