CVE-2026-60108
Received Received - Intake

Uncontrolled Memory Consumption in Zeek FTP Analyzer

Vulnerability report for CVE-2026-60108, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: VulnCheck

Description

Zeek before 8.0.9 contains an uncontrolled memory consumption vulnerability in the FTP analyzer that allows unauthenticated remote attackers to cause process termination by sending a crafted FTP control session negotiating AUTH GSSAPI followed by a large ADAT control line. Attackers can exploit the NVT_Analyzer component's lack of a maximum line length check, causing it to continuously double its internal buffer without bounds during base64 decoding of an attacker-controlled ADAT token, resulting in denial of service of the Zeek sensor.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
zeek zeek to 8.0.9 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-60108 is a vulnerability in Zeek versions before 8.0.9 that affects the FTP analyzer component. It allows unauthenticated remote attackers to cause the Zeek process to terminate by sending a specially crafted FTP control session. This session negotiates AUTH GSSAPI followed by a large ADAT control line.

The root cause is that the NVT_Analyzer component does not enforce a maximum line length during base64 decoding of the attacker-controlled ADAT token. This lack of limit causes the internal buffer to continuously double in size without bounds, leading to uncontrolled memory consumption.

As a result, the Zeek sensor crashes due to excessive memory use, causing a denial of service condition.

Impact Analysis

This vulnerability can impact you by causing a denial of service (DoS) on your Zeek network sensor. An attacker can remotely and without authentication crash the Zeek process by exploiting the uncontrolled memory consumption flaw.

The crash results from the sensor's internal buffer growing without limits when processing a maliciously crafted FTP control session, which can disrupt network monitoring and security analysis.

Detection Guidance

This vulnerability can be detected by monitoring FTP control sessions for unusual AUTH GSSAPI negotiations followed by abnormally large ADAT control lines, which are indicators of an attempted exploit.

Network administrators can use packet capture tools like tcpdump or Wireshark to filter and inspect FTP traffic for AUTH GSSAPI commands and large ADAT tokens.

  • Use tcpdump to capture FTP control traffic: tcpdump -i <interface> 'tcp port 21'
  • Filter captured traffic for AUTH GSSAPI commands and large ADAT lines using Wireshark display filters such as: ftp.request.command == "AUTH" and ftp.request.arg contains "GSSAPI"
  • Analyze logs from Zeek sensors for unexpected process terminations or memory consumption spikes related to FTP analyzer activity.
Mitigation Strategies

The primary mitigation step is to upgrade Zeek to version 8.0.9 or later, where the vulnerability has been fixed by enforcing maximum line length checks to prevent uncontrolled memory consumption.

If upgrading immediately is not possible, consider temporarily disabling or restricting the FTP analyzer component to prevent processing of potentially malicious FTP AUTH GSSAPI sessions.

Monitor Zeek sensor resource usage closely and implement network-level controls to limit or block suspicious FTP traffic that attempts to negotiate AUTH GSSAPI with large ADAT tokens.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-60108. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart