CVE-2026-60109 PUBLISHED

Zeek < 8.0.9 Null Pointer Dereference DoS via Kerberos KRB_ERROR Parsing

Assigner: VulnCheck
Reserved: 08.07.2026 Published: 09.07.2026 Updated: 09.07.2026

Zeek before 8.0.9 contains a null pointer dereference vulnerability in its Kerberos protocol analyzer that allows unauthenticated remote attackers to crash the sensor by sending a crafted KRB_ERROR message with error-code 25 (KDC_ERR_PREAUTH_REQUIRED) containing a PA-DATA element with padata-type 2, 3, 11, or 19. Attackers can exploit a parser and analyzer state mismatch where proc_padata() dereferences an uninitialized pa_data_element field selected by the wrong parsing arm, triggering a crash via a single UDP or TCP packet to port 88 without any credentials or prior authentication.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.7

Product Status

Vendor zeek
Product zeek
Versions Default: affected
  • affected from 0 to 8.0.9 (excl.)

Credits

  • Jaime Sánchez Sánchez finder

References

Problem Types

  • NULL Pointer Dereference CWE