Null Pointer Dereference in Zeek's Kerberos Protocol Analyzer by Zeek
CVE-2026-60109
8.7HIGH
What is CVE-2026-60109?
The null pointer dereference vulnerability in Zeek's Kerberos protocol analyzer allows unauthenticated remote attackers to crash the sensor. This occurs by sending a specially crafted KRB_ERROR message with error-code 25 (KDC_ERR_PREAUTH_REQUIRED) that contains a PA-DATA element featuring padata-type 2, 3, 11, or 19. The flaw arises from a mismatch in parser and analyzer states, specifically when proc_padata() attempts to dereference an uninitialized pa_data_element field, which is selected through an incorrect parsing arm. This vulnerability can be exploited through a single UDP or TCP packet directed to port 88, allowing attackers to trigger a crash without needing any credentials or prior authentication.
Affected Version(s)
zeek 0
