DHCP Down: High-Severity Stack Overflow Flaw Threatens to Paralyze Kea Networks
Ddos 
The Internet Systems Consortium (ISC) has issued a high-severity security advisory regarding a critical vulnerability affecting the Kea DHCP suite. The flaw, tracked as CVE-2026-3608 (CVSS 7.5), could allow remote attackers to disable vital network services by triggering a stack overflow in various Kea daemons.
Kea is a modern, open-source DHCP server used by service providers and enterprises to automate IP address management. This vulnerability strikes at the core of network availability, potentially leading to a complete loss of DHCP services if exploited.
The vulnerability resides in how Kea handles incoming communications across its various control and delivery mechanisms. According to the ISC advisory:
“Sending a maliciously crafted message to the kea-ctrl-agent, kea-dhcp-ddns, kea-dhcp4, or kea-dhcp6 daemons over any configured API socket or HA listener can cause the receiving daemon to exit with a stack overflow error”.
The flaw can be exploited remotely without requiring physical access to the server. A successful attack results in the receiving daemon exiting, leading to an immediate loss of DHCP services for the network.
While a permanent fix is available through software updates, ISC has provided a critical workaround for administrators who cannot patch immediately. The primary defense involves hardening the API sockets that Kea uses for management.
The advisory recommends securing the API sockets with TLS and enforcing mutual authentication. By setting cert-required to true (which is the default setting), administrators can “prevent the attacker from establishing an API connection to Kea” unless they possess a valid, trusted certificate.
ISC has confirmed that they are “not aware of any active exploits” currently targeting this vulnerability. However, to ensure long-term stability and security, all Kea users are urged to move to a supported, patched version of the software.
The recommended solution is to upgrade to the following releases:
- Kea 2.6.5
- Kea 3.0.3
Administrators should treat this as a high-priority update, as the stability of the DHCP service is often the lynchpin for all other network-connected operations.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
