PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-60108 zeek CVE debrief

CVE-2026-60108 is an uncontrolled memory consumption vulnerability in Zeek's FTP analyzer. Unauthenticated remote attackers can cause process termination by sending a crafted FTP control session negotiating AUTH GSSAPI followed by a large ADAT control line. The vulnerability exists in the NVT_Analyzer component, which lacks a maximum line length check, leading to continuous internal buffer doubling without bounds during base64 decoding of an attacker-controlled ADAT token. This issue affects Zeek versions prior to 8.0.9.

Vendor
zeek
Product
Unknown
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-09
Original CVE updated
2026-07-10
Advisory published
2026-07-09
Advisory updated
2026-07-10

Who should care

Users of Zeek versions prior to 8.0.9 should apply the patch to prevent denial-of-service attacks. Network defenders and administrators responsible for Zeek installations are advised to review and update their systems. They should also monitor for potential exploitation attempts and implement compensating controls as necessary.

Technical summary

The vulnerability is caused by the NVT_Analyzer component's lack of a maximum line length check, allowing an attacker to continuously double its internal buffer without bounds during base64 decoding of an attacker-controlled ADAT token. This results in denial of service of the Zeek sensor. The issue is addressed in Zeek version 8.0.9. Affected users should review their systems and apply the necessary patches or updates.

Defensive priority

High

Recommended defensive actions

  • Apply the patch from https://github.com/zeek/zeek/commit/93ff6950a90cfa9d00c1062cde429313a0402a01
  • Update to Zeek version 8.0.9 or later from https://github.com/zeek/zeek/releases/tag/v8.0.9
  • Review and monitor Zeek installations for potential exploitation attempts
  • Implement compensating controls to detect and prevent similar attacks
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed

Evidence notes

The CVE record was published on 2026-07-09T15:16:41.627Z and has not been modified since then. The NVD entry is currently Analyzed. This information is based on the NVD entry and the official CVE record. The vulnerability affects Zeek versions prior to 8.0.9. Users should verify their installations and apply patches or updates as necessary.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-09T15:16:41.627Z and has not been modified since then.