ISC Warns of High-Severity Kea DHCP Flaw, CVE-2023-50887
Key Takeaways A high-severity vulnerability (CVE-2026-3608) has been identified in the Kea DHCP server software. The flaw can be exploited remotely by unauthenticated attackers, leading to a...
Key Takeaways
- A high-severity vulnerability (CVE-2026-3608) has been identified in the Kea DHCP server software.
- The flaw can be exploited remotely by unauthenticated attackers, leading to a denial-of-service (DoS) condition.
- Successful exploitation causes Kea DHCP daemons to crash, disrupting network services.
- Patches are available in Kea versions 2.6.5 and 3.0.3, and immediate upgrades are recommended.
The Internet Systems Consortium (ISC) has issued a critical security alert, warning network administrators about a significant vulnerability discovered in its Kea DHCP server. This high-severity flaw, identified as CVE-2026-3608, could enable unauthorized remote attackers to trigger a stack overflow error, leading to a complete disruption of DHCP services.
Table Of Content
When exploited, the vulnerability causes the affected Kea daemon to crash, resulting in a sudden and total loss of DHCP functionality across the network. This can severely impact network operations by preventing new devices from obtaining IP addresses and disrupting existing connections.
Kea DHCP Vulnerability Details
The core of the vulnerability lies within how Kea daemons process incoming messages received over specific listening channels. An attacker can exploit this weakness by sending a specially crafted message to any configured API socket or High Availability (HA) listener. This malformed payload is not handled correctly by the software, leading to a stack overflow that forces the service to terminate unexpectedly.
Multiple critical components of the Kea architecture are susceptible to this attack. The ISC advisory explicitly states that the kea-ctrl-agent, kea-dhcp-ddns, kea-dhcp4, and kea-dhcp6 daemons are all vulnerable. Ali Norouzi from Keysight is credited with the responsible disclosure of this issue to the ISC.
The flaw carries a CVSS v3.1 score of 7.5, underscoring its significant threat to network stability. Exploitation requires no user interaction and no elevated privileges, meaning any malicious actor with network access to the API sockets can initiate the crash. The primary consequence is a severe denial-of-service condition. When Kea daemons fail, networks immediately lose DHCP capabilities, potentially disrupting IP address assignments, breaking connectivity for new devices, and severely impacting enterprise operations. Fortunately, the ISC has confirmed that it is currently unaware of any active exploits in the wild.
What You Should Do
- Upgrade Immediately: Organizations should upgrade their Kea deployments to the latest patched releases without delay. Users on the 2.6 branch must update to Kea 2.6.5, while those on the 3.0 branch should update to Kea 3.0.3 to secure their environments.
- Implement TLS and Mutual Authentication: For administrators unable to patch immediately, a temporary workaround involves securing API sockets with Transport Layer Security (TLS) and enforcing strict mutual authentication. Configuring the server to require a valid client certificate prevents attackers from establishing the initial API connection needed to deliver the malicious payload.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.