ISC Patches High-Severity Kea DHCPv4 DoS (CVE-2025-11232) Flaw, Allows Crash via Malformed Hostname
Ddos 
The Internet Systems Consortium (ISC) has issued a security advisory warning users of a denial-of-service (DoS) vulnerability in the Kea DHCPv4 server. Tracked as CVE-2025-11232 and rated CVSS 7.5 (High), the flaw could allow a specially crafted DHCP packet to cause the server to exit unexpectedly, potentially disrupting IP address assignments across entire networks.
According to ISC’s advisory, “To trigger the issue, three configuration parameters must have specific settings: ‘hostname-char-set’ must be left at the default setting, which is ‘[^A-Za-z0-9.-]’; ‘hostname-char-replacement’ must be empty (the default); and ‘ddns-qualifying-suffix’ must NOT be empty (the default is empty).”
Under these circumstances, a client that sends a DHCP request containing invalid or unexpected hostname characters can cause Kea to crash. Importantly, Dynamic DNS (DDNS) does not need to be enabled for the issue to occur.
The vulnerability resides in the Kea-DHCP4 component, where improper handling of assert conditions during hostname validation leads to a program abort. ISC explains that “a client that sends certain option content would then cause kea-dhcp4 to exit unexpectedly.”
While the crash does not lead to remote code execution or data corruption, repeated exploitation could deny network connectivity for DHCP clients, effectively producing a sustained DoS condition. ISC warns, “A denial of service from the repeated attacks against the Kea server” is possible if unpatched systems are targeted.
The vulnerability impacts the following Kea DHCP versions:
- 3.0.1 → 3.0.1
- 3.1.1 → 3.1.2
Kea users running any of the vulnerable versions should upgrade immediately to the patched releases 3.0.2 or 3.1.3, which contain the fix.
For administrators unable to upgrade right away, ISC provides a simple and effective mitigation. “Setting ‘hostname-char-replacement’ to anything other than an empty value (suggestion: ‘x’) is an effective workaround to this issue, regardless of other settings.”
This configuration change prevents the assertion failure by ensuring that invalid characters are replaced before the vulnerable code path is triggered.
Related Posts:
- Security Alert: Multi Flaws in Kea DHCP Server Disclosed
- A Single Packet Can Crash a DHCP Server: High-Severity Flaw CVE-2025-40779 Found in Kea
- NPM Recon: Malicious Packages Found Stealing Internal Network IPs and Hostnames
- Malicious NPM Packages Target PayPal Users to Steal Sensitive Data
- CVE-2024-28872 Vulnerability in Stork Monitoring Tool Could Enable Server Takeover
Donate