Home

Description

Sending a maliciously crafted message to the kea-ctrl-agent, kea-dhcp-ddns, kea-dhcp4, or kea-dhcp6 daemons over any configured API socket or HA listener can cause the receiving daemon to exit with a stack overflow error. This issue affects Kea versions 2.6.0 through 2.6.4 and 3.0.0 through 3.0.2.

PUBLISHED Reserved 2026-03-05 | Published 2026-03-25 | Updated 2026-03-25 | Assigner isc




HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-617 Reachable Assertion

Product status

Default status
unaffected

2.6.0 (custom)
affected

3.0.0 (custom)
affected

Credits

ISC would like to thank Ali Norouzi of Keysight for bringing this vulnerability to our attention.

References

www.openwall.com/lists/oss-security/2026/03/25/6

kb.isc.org/docs/cve-2026-3608 (CVE-2026-3608) vendor-advisory

downloads.isc.org/isc/kea/2.6.5 patch

downloads.isc.org/isc/kea/3.0.3 patch

cve.org (CVE-2026-3608)

nvd.nist.gov (CVE-2026-3608)

Download JSON