A Single Packet Can Crash a DHCP Server: High-Severity Flaw CVE-2025-40779 Found in Kea

The Internet Systems Consortium (ISC) has released a security advisory addressing a high-severity vulnerability in its widely used Kea DHCP server. The flaw, tracked as CVE-2025-40779 with a CVSS score of 7.5, could allow a remote attacker to crash Kea with a single crafted packet.

According to the ISC bulletin, “If a DHCPv4 client sends a request with some specific options, and Kea fails to find an appropriate subnet for the client, the kea-dhcp4 process will abort with an assertion failure.”

Notably, this issue only arises when requests are unicast directly to Kea. Broadcast DHCP requests are not affected.

The vulnerability leads to a Denial of Service (DoS). As ISC explains, “A malicious or misconfigured DHCP client can crash the Kea DHCPv4 service by sending a single packet.”

While the vulnerability does not allow for code execution or privilege escalation, its ability to remotely disable a core networking service with minimal effort makes it a significant concern—particularly for ISPs, enterprises, and data centers relying on Kea for large-scale IP address management.

The advisory lists the following Kea versions as vulnerable:

• 2.7.1 → 2.7.9
• 3.0.0
• 3.1.0

Versions confirmed not affected include:

• 2.6.0 → 2.6.4

ISC recommends upgrading to patched versions immediately. The bulletin advises:

• 3.0.1
• 3.1.1

For operators unable to upgrade immediately, network administrators should closely monitor DHCP logs for unusual client request patterns and consider segmenting untrusted devices to minimize exposure.

Related Posts:

• Security Alert: Multi Flaws in Kea DHCP Server Disclosed
• CVE-2024-28872 Vulnerability in Stork Monitoring Tool Could Enable Server Takeover
• ISC releases the BIND security update to address the high-risk vulnerability
• BIND Security Updates: Patch Your DNS Servers Now