CVE-2026-3608 in Kea
Summary
by MITRE • 03/25/2026
Sending a maliciously crafted message to the kea-ctrl-agent, kea-dhcp-ddns, kea-dhcp4, or kea-dhcp6 daemons over any configured API socket or HA listener can cause the receiving daemon to exit with a stack overflow error. This issue affects Kea versions 2.6.0 through 2.6.4 and 3.0.0 through 3.0.2.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/29/2026
The vulnerability identified as CVE-2026-3608 represents a critical stack overflow condition affecting the Kea DHCP server suite, specifically targeting four key daemon processes including kea-ctrl-agent, kea-dhcp-ddns, kea-dhcp4, and kea-dhcp6. This flaw enables remote attackers to execute a denial of service attack by transmitting specially crafted messages through any configured API socket or High Availability (HA) listener interface. The vulnerability exists within the message processing logic of these daemons, where insufficient input validation and buffer management allows malicious payloads to corrupt the stack memory structure. The affected versions span across Kea 2.6.0 through 2.6.4 and 3.0.0 through 3.0.2, indicating a widespread impact across multiple release branches of this widely deployed DHCP infrastructure software.
The technical implementation of this vulnerability stems from inadequate bounds checking during message parsing operations within the Kea daemon processes. When these daemons receive network traffic through configured API sockets or HA listeners, they process incoming data structures without sufficient validation of message length or content boundaries. This deficiency creates an exploitable condition where crafted payloads can exceed allocated stack buffer sizes, leading to stack corruption and subsequent daemon termination. The stack overflow occurs during the normal processing flow of network messages, making it particularly dangerous as it can be triggered through legitimate network communication channels without requiring elevated privileges or specialized attack vectors. This behavior aligns with CWE-121, Stack-based Buffer Overflow, and represents a classic memory corruption vulnerability that can be leveraged for remote code execution or denial of service scenarios.
The operational impact of CVE-2026-3608 extends beyond simple service disruption, as it can compromise the entire DHCP infrastructure within networks relying on Kea implementations. When any of the affected daemons terminate due to stack overflow conditions, it results in immediate disruption of DHCP services, potentially affecting thousands of devices that depend on dynamic IP address allocation. The HA listener component adds additional risk as it enables coordination between multiple Kea instances, meaning a successful attack could cascade across redundant systems and compromise high availability configurations. Network administrators face the challenge of identifying and mitigating this vulnerability without disrupting ongoing network operations, as the attack can be executed remotely and does not require authentication or physical access to the affected systems.
Mitigation strategies for CVE-2026-3608 should prioritize immediate software updates to versions that have addressed the stack overflow vulnerability, typically through patches that implement proper bounds checking and input validation mechanisms. Organizations should also consider implementing network segmentation and access controls to limit exposure of API sockets and HA listeners to trusted networks only, thereby reducing the attack surface. Monitoring systems should be configured to detect unusual daemon termination patterns or abnormal network traffic patterns that might indicate exploitation attempts. From a defensive perspective, this vulnerability maps to ATT&CK technique T1499.004 for Network Denial of Service and T1059.007 for Command and Scripting Interpreter, as it enables both service disruption and potential exploitation of underlying system resources. Security teams should also conduct comprehensive vulnerability assessments across their entire Kea deployment to identify any potential custom configurations or modifications that might exacerbate the vulnerability impact.