CVE-2026-60109
Received Received - Intake

Null Pointer Dereference in Zeek Kerberos Analyzer

Vulnerability report for CVE-2026-60109, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: VulnCheck

Description

Zeek before 8.0.9 contains a null pointer dereference vulnerability in its Kerberos protocol analyzer that allows unauthenticated remote attackers to crash the sensor by sending a crafted KRB_ERROR message with error-code 25 (KDC_ERR_PREAUTH_REQUIRED) containing a PA-DATA element with padata-type 2, 3, 11, or 19. Attackers can exploit a parser and analyzer state mismatch where proc_padata() dereferences an uninitialized pa_data_element field selected by the wrong parsing arm, triggering a crash via a single UDP or TCP packet to port 88 without any credentials or prior authentication.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
zeek zeek to 8.0.9 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-60109 is a null pointer dereference vulnerability in the Kerberos protocol analyzer of Zeek versions before 8.0.9. It occurs when an unauthenticated remote attacker sends a specially crafted KRB_ERROR message with error-code 25 (KDC_ERR_PREAUTH_REQUIRED) containing a PA-DATA element with padata-type 2, 3, 11, or 19. Due to a mismatch between the parser and analyzer states, the proc_padata() function dereferences an uninitialized pa_data_element field, causing the sensor to crash.

This crash can be triggered by a single UDP or TCP packet sent to port 88 without requiring any credentials or prior authentication.

Impact Analysis

This vulnerability allows an unauthenticated remote attacker to cause a denial-of-service (DoS) condition by crashing the Zeek sensor. The crash disrupts network monitoring and analysis, potentially leading to loss of visibility into network traffic and security events.

Since the attack requires no credentials and can be executed with a single crafted packet, it poses a high risk of service interruption.

Detection Guidance

This vulnerability can be detected by monitoring network traffic for specially crafted Kerberos KRB_ERROR messages with error-code 25 (KDC_ERR_PREAUTH_REQUIRED) that contain PA-DATA elements with padata-type 2, 3, 11, or 19.

Detection involves capturing and inspecting UDP or TCP packets sent to port 88 (Kerberos) for these specific malformed packets that trigger the null pointer dereference.

While no explicit commands are provided in the resources, you can use packet capture tools like tcpdump or Wireshark to filter and analyze such traffic. For example, a tcpdump command to capture Kerberos traffic might be:

  • tcpdump -i <interface> port 88

Then, analyze captured packets for KRB_ERROR messages with error-code 25 and PA-DATA elements with the specified padata-types using a protocol analyzer or custom scripts.

Mitigation Strategies

The immediate mitigation step is to upgrade Zeek to version 8.0.9 or later, where this vulnerability has been patched.

The patch fixes the vulnerability by modifying the Kerberos protocol analyzer to properly handle error cases and avoid dereferencing uninitialized data, preventing crashes.

Until the upgrade can be applied, consider blocking or filtering incoming UDP and TCP traffic to port 88 from untrusted sources to reduce exposure to crafted malicious packets.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-60109. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart