🔐 CVE Alert

CVE-2026-60109

HIGH 7.5

Zeek < 8.0.9 Null Pointer Dereference DoS via Kerberos KRB_ERROR Parsing

CVSS Score
7.5
EPSS Score
0.5%
EPSS Percentile
39th

Zeek before 8.0.9 contains a null pointer dereference vulnerability in its Kerberos protocol analyzer that allows unauthenticated remote attackers to crash the sensor by sending a crafted KRB_ERROR message with error-code 25 (KDC_ERR_PREAUTH_REQUIRED) containing a PA-DATA element with padata-type 2, 3, 11, or 19. Attackers can exploit a parser and analyzer state mismatch where proc_padata() dereferences an uninitialized pa_data_element field selected by the wrong parsing arm, triggering a crash via a single UDP or TCP packet to port 88 without any credentials or prior authentication.

CWE CWE-476
Vendor zeek
Product zeek
Published Jul 9, 2026
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for zeek zeek

Be the first to know when new high vulnerabilities affecting zeek zeek are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Affected Versions

zeek / zeek
0 < 8.0.9

References

NVD ↗ CVE.org ↗ EPSS Data ↗
github.com: https://github.com/zeek/zeek/releases/tag/v8.0.9 github.com: https://github.com/zeek/zeek/commit/c82e3c734893d932e94310aec0dbeb1ffcea169d vulncheck.com: https://www.vulncheck.com/advisories/zeek-null-pointer-dereference-dos-via-kerberos-krb-error-parsing

Credits

Jaime Sánchez Sánchez