CVE-2026-60108 PUBLISHED

Zeek < 8.0.9 Uncontrolled Memory Consumption DoS via FTP Analyzer

Assigner: VulnCheck
Reserved: 08.07.2026 Published: 09.07.2026 Updated: 09.07.2026

Zeek before 8.0.9 contains an uncontrolled memory consumption vulnerability in the FTP analyzer that allows unauthenticated remote attackers to cause process termination by sending a crafted FTP control session negotiating AUTH GSSAPI followed by a large ADAT control line. Attackers can exploit the NVT_Analyzer component's lack of a maximum line length check, causing it to continuously double its internal buffer without bounds during base64 decoding of an attacker-controlled ADAT token, resulting in denial of service of the Zeek sensor.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.7

Product Status

Vendor zeek
Product zeek
Versions Default: affected
  • affected from 0 to 8.0.9 (excl.)

Credits

  • Jaime Sánchez Sánchez finder

References

Problem Types

  • Allocation of Resources Without Limits or Throttling CWE