Null Pointer Dereference in Zeek's Kerberos Protocol Analyzer by Zeek
CVE-2026-60109

8.7HIGH

Key Information:

Vendor

Zeek

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-60109?

The null pointer dereference vulnerability in Zeek's Kerberos protocol analyzer allows unauthenticated remote attackers to crash the sensor. This occurs by sending a specially crafted KRB_ERROR message with error-code 25 (KDC_ERR_PREAUTH_REQUIRED) that contains a PA-DATA element featuring padata-type 2, 3, 11, or 19. The flaw arises from a mismatch in parser and analyzer states, specifically when proc_padata() attempts to dereference an uninitialized pa_data_element field, which is selected through an incorrect parsing arm. This vulnerability can be exploited through a single UDP or TCP packet directed to port 88, allowing attackers to trigger a crash without needing any credentials or prior authentication.

Affected Version(s)

zeek 0

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Jaime Sánchez Sánchez
.