CVE-2026-3608 PUBLISHED

Stack overflow in Kea daemons

Assigner: isc
Reserved: 05.03.2026 Published: 25.03.2026 Updated: 25.03.2026

Sending a maliciously crafted message to the kea-ctrl-agent, kea-dhcp-ddns, kea-dhcp4, or kea-dhcp6 daemons over any configured API socket or HA listener can cause the receiving daemon to exit with a stack overflow error. This issue affects Kea versions 2.6.0 through 2.6.4 and 3.0.0 through 3.0.2.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 7.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	ISC
Product	Kea
Versions	Default: unaffected affected from 2.6.0 to 2.6.4 (incl.) affected from 3.0.0 to 3.0.2 (incl.)

Exploits

We are not aware of any active exploits.

Workarounds

Securing the API sockets with TLS, and requiring the client to authenticate with a certificate (mutual authentication), prevents the attacker from establishing an API connection to Kea. Set cert-required to true (the default) to require a client certificate. See: https://kea.readthedocs.io/en/stable/arm/security.html#tls-https-configuration

Solutions

Upgrade to the patched release most closely related to your current version of Kea: 2.6.5 or 3.0.3.

Credits

ISC would like to thank Ali Norouzi of Keysight for bringing this vulnerability to our attention.