Zeek FTP Analyzer Uncontrolled Memory Consumption, CVE-2026-60108 (High) -DC-Jul2026-884

Listen to this Post

CVE-2026-60108 details a critical uncontrolled memory consumption vulnerability within the FTP analyzer of Zeek, a prominent network security monitoring tool. This flaw, present in all Zeek versions prior to 8.0.9, enables an unauthenticated remote attacker to trigger a denial-of-service (DoS) condition, effectively terminating the Zeek sensor process and disrupting network traffic analysis.
The vulnerability resides in how the FTP analyzer processes the `AUTH GSSAPI` command during an FTP control session. When a client initiates an FTP session and requests the GSSAPI authentication mechanism, the server (in this context, the Zeek analyzer) expects to receive an `ADAT` (Authentication Data) token from the client as part of the negotiation. This token is transmitted as a base64-encoded string on the control line.
The core issue lies within the `NVT_Analyzer` component, which is responsible for parsing and decoding these tokens. During the base64 decoding process, the analyzer allocates an internal buffer to hold the decoded data. However, the code lacks a crucial maximum line length check. When it encounters an `ADAT` token, it does not validate the size of the incoming base64 string before attempting to decode it.
As the analyzer processes the token, it reads the base64 data and begins decoding it into its internal buffer. If the input is exceptionally large, the decoder’s buffer management logic, which is designed to double the buffer size when more space is needed, enters an unbounded loop. For each chunk of data that exceeds the current buffer capacity, the buffer size is doubled. This doubling continues without any upper bound, as there is no mechanism to cap the buffer growth based on a maximum line length or available system memory.
Consequently, an attacker can craft a malicious FTP control session that negotiates `AUTH GSSAPI` and then sends an `ADAT` control line containing an extremely large base64 payload. The Zeek FTP analyzer will attempt to decode this payload, causing its internal buffer to grow exponentially. This uncontrolled memory allocation rapidly consumes all available system memory, leading to process termination. The Zeek sensor crashes, resulting in a complete loss of network visibility until the service is manually restarted.
This vulnerability is particularly concerning because it requires no authentication and can be exploited over the network. A single crafted packet or series of packets can effectively knock out a Zeek sensor, making it a potent DoS vector. The weakness is classified under CWE-770 (Allocation of Resources Without Limits or Throttling), highlighting the fundamental lack of resource constraints in the parsing logic.

DailyCVE Form:

Platform: Zeek
Version: < 8.0.9
Vulnerability: Uncontrolled Memory Consumption
Severity: High (CVSS 7.5)
date: 2026-07-09

Prediction: 2026-07-12 (patch expected)

What Undercode Say:

Analytics:

  • Attack Vector: Network-based, unauthenticated
  • Affected Component: FTP analyzer (NVT_Analyzer)
  • Root Cause: Missing max line length check
  • Exploitability: Remotely exploitable with low complexity
  • Impact: Denial of service (sensor crash)
  • CVSS Score: 7.5 (High)
  • CWE: 770 (Allocation without Limits)
  • Patch Status: Fixed in Zeek 8.0.9
  • Detection: Monitor for large ADAT tokens in FTP
  • Mitigation: Apply patch or disable GSSAPI

Bash commands and codes:

Check Zeek version
zeek --version
Verify if vulnerable (version < 8.0.9)
if [[ $(zeek --version | grep -oP 'Zeek \K[0-9.]+' | head -1) < "8.0.9" ]]; then
echo "Vulnerable to CVE-2026-60108"
else
echo "Patched"
fi
Simulate a crafted FTP control session (for testing in isolated lab)
Note: This is a proof-of-concept and should not be used maliciously.
{
echo "USER anonymous"
echo "PASS anonymous"
echo "AUTH GSSAPI"
Send a large ADAT token (base64 of 1MB of 'A's)
echo "ADAT $(head -c 1000000 /dev/zero | tr '\0' 'A' | base64 -w0)"
echo "QUIT"
} | nc -v <target-ip> 21
Monitor memory usage during attack
watch -n 1 'ps aux | grep zeek | grep -v grep | awk "{print \$4, \$6}"'
Apply patch (Ubuntu/Debian example)
sudo apt-get update && sudo apt-get install zeek=8.0.9
Restart Zeek after patching
sudo systemctl restart zeek

Exploit:

An attacker can exploit this vulnerability by establishing an FTP control connection to a target Zeek sensor and issuing the `AUTH GSSAPI` command. Following this, they send an `ADAT` control line with a massively oversized base64-encoded token. The Zeek FTP analyzer, lacking a line length limit, will attempt to decode this token, triggering the unbounded buffer doubling. This rapidly exhausts system memory, causing the Zeek process to crash. The attack can be performed in a single TCP session and does not require any prior authentication or special privileges.

Protection:

  • Immediate: Upgrade to Zeek version 8.0.9 or later, which includes a fix that enforces a maximum line length for FTP control commands.
  • Workaround: If an immediate upgrade is not possible, consider disabling the GSSAPI authentication mechanism in the Zeek FTP analyzer configuration, or deploy network-level ACLs to restrict FTP traffic to trusted sources only.
  • Monitoring: Implement monitoring for anomalous FTP control sessions with excessively long `ADAT` lines, which could indicate an ongoing attack.

Impact:

Successful exploitation results in a denial-of-service condition where the Zeek sensor process terminates. This leads to a complete loss of network traffic analysis and logging capabilities until the service is manually restarted. For organizations relying on Zeek for security monitoring, intrusion detection, and network forensics, this disruption can create a significant blind spot, potentially allowing malicious activities to go undetected. The vulnerability is remotely exploitable with low complexity, making it a high-priority risk for all Zeek deployments.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top