CVE-2026-3608
Received
Received - Intake
Stack Overflow in Kea DHCP Daemons Causes Service Crash
Publication date: 2026-03-25
Last updated on: 2026-03-25
Assigner: Internet Systems Consortium (ISC)
Description
Description
Sending a maliciously crafted message to the kea-ctrl-agent, kea-dhcp-ddns, kea-dhcp4, or kea-dhcp6 daemons over any configured API socket or HA listener can cause the receiving daemon to exit with a stack overflow error.
This issue affects Kea versions 2.6.0 through 2.6.4 and 3.0.0 through 3.0.2.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| isc | kea | From 2.6.0 (inc) to 2.6.4 (inc) |
| isc | kea | From 3.0.0 (inc) to 3.0.2 (inc) |
| isc | kea | 2.6.5 |
| isc | kea | 3.0.3 |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-617 | The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. |
