CVE-2026-3608

Summary

Sending a maliciously crafted message to the kea-ctrl-agent, kea-dhcp-ddns, kea-dhcp4, or kea-dhcp6 daemons over any configured API socket or HA listener can cause the receiving daemon to exit with a stack overflow error. This issue affects Kea versions 2.6.0 through 2.6.4 and 3.0.0 through 3.0.2.

Affected Software

VendorProductVersion RangeStatus
ISCKea2.6.0 <= 2.6.4affected
ISCKea3.0.0 <= 3.0.2affected

Weaknesses

  • CWE-617: CWE-617 Reachable Assertion

Workarounds

Securing the API sockets with TLS, and requiring the client to authenticate with a certificate (mutual authentication), prevents the attacker from establishing an API connection to Kea. Set cert-required to true (the default) to require a client certificate. See: https://kea.readthedocs.io/en/stable/arm/security.html#tls-https-configuration

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

CVE Program Container

Additional References

Kea: Kea: Denial of Service via maliciously crafted message

Additional References

References