High-Severity Kea DHCP Flaw Can Crash Services Warns That

The Internet Systems Consortium (ISC) has issued a critical security advisory, alerting network administrators to a high-severity vulnerability impacting the Kea DHCP server.

Tracked as CVE-2026-3608, this flaw allows unauthenticated remote attackers to trigger a stack overflow error.

When successfully exploited, the vulnerability causes the receiving daemon to crash, resulting in a sudden and total loss of DHCP services across the network.

Kea DHCP Vulnerability

The vulnerability exists in how Kea daemons process incoming messages over specific listening channels.

An attacker can exploit this weakness by sending a maliciously crafted message over any configured API socket or High Availability (HA) listener.

Because the incoming payload is not handled correctly by the software, a stack overflow occurs, forcing the service to terminate unexpectedly.

This issue impacts multiple core components of the Kea architecture. The advisory explicitly notes that the kea-ctrl-agent, kea-dhcp-ddns, kea-dhcp4, and kea-dhcp6 daemons are all susceptible to this attack.

Ali Norouzi from Keysight is credited with discovering and responsibly reporting the issue to the ISC. Carrying a CVSS v3.1 score of 7.5, CVE-2026-3608 represents a significant threat to network stability.

The vulnerability requires zero user interaction and no elevated privileges, meaning any bad actor with network access to the API sockets can trigger the crash.

The primary consequence of this exploit is a severe denial-of-service condition.

When the Kea daemons exit, the network immediately loses its DHCP capabilities, which can disrupt IP address assignment, break network connectivity for new devices, and severely impact enterprise operations.

Fortunately, the ISC has stated that they are currently unaware of any active exploits in the wild.

Mitigations and Workarounds

To permanently resolve this vulnerability, the ISC strongly advises organizations to immediately upgrade their Kea deployments to the latest patched releases.

Administrators running the 2.6 branch should update to Kea 2.6.5. In comparison, those on the 3.0 branch must update to Kea 3.0.3 to secure their environments against potential denial-of-service attacks.

For network administrators who are unable to patch their systems right away, the ISC has provided an effective temporary workaround.

Organizations can block the exploitation path by securing their API sockets with Transport Layer Security (TLS) and enforcing strict mutual authentication.

By configuring the server to require a valid client certificate, administrators ensure that an attacker cannot establish the initial API connection required to deliver the malicious payload.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.