Zeek Network Security Monitor, Null Pointer Dereference, CVE-2026-60109 (High) -DC-Jul2026-891

Listen to this Post

CVE-2026-60109 is a null pointer dereference vulnerability affecting Zeek (formerly Bro) before version 8.0.9. The flaw resides in the Kerberos protocol analyzer, a component responsible for parsing and logging Kerberos authentication traffic on port 88 (TCP/UDP). An unauthenticated remote attacker can exploit this bug by sending a single specially crafted KRB_ERROR message, which causes the Zeek sensor to crash, effectively resulting in a denial of service (DoS) with no prior authentication or credentials required.
The vulnerability is rooted in a parser and analyzer state mismatch when processing certain error messages. Specifically, an attacker sends a KRB_ERROR message with error-code 25, which corresponds to KDC_ERR_PREAUTH_REQUIRED. This error code indicates that the Key Distribution Center (KDC) expects pre-authentication. Within this error message, the attacker includes a PA‑DATA (pre‑authentication data) element with a `padata‑type` of 2, 3, 11, or 19. These types are associated with various pre‑authentication mechanisms such as PA‑ENC‑TIMESTAMP, PA‑ETYPE‑INFO, etc.
When the Zeek Kerberos analyzer processes this packet, the `proc_padata()` function is invoked to handle the PA‑DATA element. Due to a logic flaw, the parser selects the wrong parsing arm for the given padata‑type, leading to a state where the `pa_data_element` field remains uninitialized. The function then attempts to dereference this uninitialized pointer, resulting in a null pointer dereference. This crash occurs almost instantaneously upon receipt of the malicious packet, and because the packet can be sent via a single UDP or TCP segment, the attack is extremely efficient and requires minimal bandwidth.
The vulnerability is particularly severe because Zeek is often deployed as a network intrusion detection system (NIDS) or security monitoring tool in critical infrastructure environments. A successful exploitation can disrupt network visibility, potentially allowing other malicious activities to go undetected. The flaw is present in all Zeek versions prior to 8.0.9, and it has been assigned a CVSSv3.1 base score of 7.5 (High) by VulnCheck, with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating that the attack is network exploitable, requires low complexity, no privileges, and no user interaction, with a high impact on availability.
The fix, included in Zeek 8.0.9, adds additional checks for the state reported by Kerberos packets, ensuring that the `pa_data_element` is properly initialized before dereferencing. Administrators are strongly urged to upgrade to version 8.0.9 or later to mitigate this risk. The vulnerability was discovered and reported by Tim Wojtulewicz of Corelight.

DailyCVE Form:

Platform: ……. Zeek
Version: …….. < 8.0.9
Vulnerability :.. Null pointer dereference
Severity: ……. High (CVSS 7.5)
date: ……….. 2026-07-09

Prediction: ….. 2026-07-06

What Undercode Say – Analytics

Below are practical commands and scripts to assess and monitor for CVE-2026-60109 in your Zeek environment.

Check Zeek Version

zeek --version
Expected output for vulnerable versions: Zeek 8.0.x (x < 9)
Fixed version: Zeek 8.0.9 or higher

Identify Vulnerable Installations (Debian/Ubuntu)

dpkg -l | grep zeek | awk '{print $3}'
If version < 8.0.9, the system is vulnerable

Detect Exploit Attempts via Zeek Logs

The following Zeek script snippet logs Kerberos errors with error‑code 25 and PA‑DATA types of interest:

event kerberos_error(c: connection, error_code: count, msg_type: count, e_data: string)
{
if (error_code == 25) {
print fmt("Potential CVE-2026-60109 exploit from %s", c$id$orig_h);
}
}

Monitor for Crashes

Check system logs for Zeek process termination:

journalctl -u zeek -f | grep -i "segfault|core dumped|signal 11"

Network‑based Detection (Snort/Suricata)

Rule to alert on KRB_ERROR with error‑code 25 and PA‑DATA type 2,3,11,19:

alert udp any any -> any 88 (msg:"CVE-2026-60109 Zeek Kerberos DoS attempt"; content:"|25|"; depth:1; content:"|02 03 0B 13|"; sid:1000001;)

Exploit

An attacker can trigger the vulnerability by sending a single UDP or TCP packet to port 88 of the target Zeek sensor. The packet must be a valid Kerberos KRB_ERROR message with:
– error‑code = 25 (KDC_ERR_PREAUTH_REQUIRED)
– A PA‑DATA element where `padata‑type` is 2, 3, 11, or 19.
No prior authentication or session establishment is required. The crafted packet causes `proc_padata()` to dereference an uninitialized `pa_data_element` pointer, leading to an immediate crash of the Zeek process. This can be performed remotely and repeatedly, making it a reliable DoS vector.

Protection

  • Upgrade Zeek to version 8.0.9 or later. The fix is included in the official 8.0.9 release, which adds state validation for Kerberos packets.
  • If an immediate upgrade is not possible, apply the patch backported by your distribution (e.g., FreeBSD ports, Debian security updates).
  • As a temporary workaround, block or rate‑limit traffic to port 88 from untrusted sources using network ACLs or firewall rules.
  • Enable process monitoring and automatic restart (e.g., systemd Restart=always) to reduce downtime in case of exploitation.

Impact

  • Availability: The vulnerability allows an unauthenticated remote attacker to crash the Zeek sensor with a single packet, leading to a complete loss of network monitoring and logging capabilities.
  • Detection Evasion: During the downtime, malicious activities may go undetected, increasing the risk of data breaches or further compromise.
  • Operational Disruption: In environments where Zeek is used for compliance or security operations, repeated crashes can cause significant operational overhead and degrade the overall security posture.
  • CVSS Score: 7.5 (High) – reflecting the ease of exploitation and the high impact on availability.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top