Description
Sending a maliciously crafted message to the kea-ctrl-agent, kea-dhcp-ddns, kea-dhcp4, or kea-dhcp6 daemons over any configured API socket or HA listener can cause the receiving daemon to exit with a stack overflow error.
This issue affects Kea versions 2.6.0 through 2.6.4 and 3.0.0 through 3.0.2.
Published: 2026-03-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via stack overflow
Action: Apply Patch
AI Analysis

Impact

A crafted message sent to any of the Kea daemons that listen on an API socket or HA listener can cause a stack overflow, terminating the daemon. The result is a denial‑of‑service condition; the affected service stops until restarted and no code execution is possible.

Affected Systems

The vulnerability affects the ISC Kea DHCP suite, including kea‑ctrl‑agent, kea‑dhcp‑ddns, kea‑dhcp4, and kea‑dhcp6. Versions 2.6.0 through 2.6.4 and 3.0.0 through 3.0.2 on any platform that exposes an API socket or HA listener are susceptible.

Risk and Exploitability

The severity score is 7.5, placing the issue in the high range. No EPSS score is available, and it is not listed in the CISA Known Exploited Vulnerabilities catalog. An attacker with network access to the exposed API endpoint can trigger the overflow without privileged access. Prompt remediation is advised, especially if the sockets are reachable from untrusted networks.

Generated by OpenCVE AI on March 25, 2026 at 10:50 UTC.

Remediation

Vendor Solution

Upgrade to the patched release most closely related to your current version of Kea: 2.6.5 or 3.0.3.

Vendor Workaround

Securing the API sockets with TLS, and requiring the client to authenticate with a certificate (mutual authentication), prevents the attacker from establishing an API connection to Kea. Set cert-required to true (the default) to require a client certificate. See: https://kea.readthedocs.io/en/stable/arm/security.html#tls-https-configuration

OpenCVE Recommended Actions

  • Upgrade Kea to a patched release that matches your current version, such as 2.6.5 or 3.0.3.
  • If an upgrade cannot be applied immediately, enable TLS on the API sockets and enforce mutual authentication by setting cert-required to true.
  • Limit exposure of the API socket or HA listener to trusted hosts or networks using firewall rules or network segmentation.

Generated by OpenCVE AI on March 25, 2026 at 10:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
References

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 25 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
Description Sending a maliciously crafted message to the kea-ctrl-agent, kea-dhcp-ddns, kea-dhcp4, or kea-dhcp6 daemons over any configured API socket or HA listener can cause the receiving daemon to exit with a stack overflow error. This issue affects Kea versions 2.6.0 through 2.6.4 and 3.0.0 through 3.0.2.
Title Stack overflow in Kea daemons
First Time appeared Isc
Isc kea
Weaknesses CWE-617
CPEs cpe:2.3:a:isc:kea:*:*:*:*:*:*:*:*
Vendors & Products Isc
Isc kea
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Isc Kea
cve-icon MITRE

Status: PUBLISHED

Assigner: isc

Published:

Updated: 2026-03-25T17:22:19.777Z

Reserved: 2026-03-05T17:47:36.088Z

Link: CVE-2026-3608

cve-icon Vulnrichment

Updated: 2026-03-25T17:22:19.777Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T09:16:25.810

Modified: 2026-03-25T18:16:32.853

Link: CVE-2026-3608

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-25T08:46:48Z

Links: CVE-2026-3608 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T11:51:27Z

Weaknesses