CVE-2026-3608

Description

Sending a maliciously crafted message to the kea-ctrl-agent, kea-dhcp-ddns, kea-dhcp4, or kea-dhcp6 daemons over any configured API socket or HA listener can cause the receiving daemon to exit with a stack overflow error. This issue affects Kea versions 2.6.0 through 2.6.4 and 3.0.0 through 3.0.2.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Affected products

ISC / Kea2.6.0 – 2.6.4
ISC / Kea3.0.0 – 3.0.2

References

MISChttps://kb.isc.org/docs/cve-2026-3608
MISChttps://downloads.isc.org/isc/kea/2.6.5
MISChttps://downloads.isc.org/isc/kea/3.0.3