PatchSiren

zeek CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH zeek CVE published 2026-07-09

CVE-2026-60109

CVE-2026-60109 is a null pointer dereference vulnerability in Zeek's Kerberos protocol analyzer. Unauthenticated remote attackers can crash the sensor by sending a crafted KRB_ERROR message with error-code 25 (KDC_ERR_PREAUTH_REQUIRED) containing a PA-DATA element with padata-type 2, 3, 11, or 19. The vulnerability arises from a parser and analyzer state mismatch where proc_padata() dereferences an uninit [truncated]

HIGH zeek CVE published 2026-07-09

CVE-2026-60108

CVE-2026-60108 is an uncontrolled memory consumption vulnerability in Zeek's FTP analyzer. Unauthenticated remote attackers can cause process termination by sending a crafted FTP control session negotiating AUTH GSSAPI followed by a large ADAT control line. The vulnerability exists in the NVT_Analyzer component, which lacks a maximum line length check, leading to continuous internal buffer doubling withou [truncated]