CVE-2025-11232 Overview
CVE-2025-11232 is a denial of service vulnerability in ISC Kea DHCP server. A remote attacker can crash the kea-dhcp4 process by sending crafted DHCP option content when specific configuration parameters are set. The flaw is tracked under CWE-823: Use of Out-of-range Pointer Offset and affects Kea versions 3.0.1 and 3.1.1 through 3.1.2.
Triggering the issue requires hostname-char-set left at its default value, hostname-char-replacement empty, and ddns-qualifying-suffix set to a non-empty value. Dynamic DNS (DDNS) updates do not need to be enabled for the crash to occur.
Critical Impact
An unauthenticated network attacker can terminate the kea-dhcp4 daemon, disrupting DHCP lease issuance across the network segment.
Affected Products
- ISC Kea DHCP version 3.0.1
- ISC Kea DHCP versions 3.1.1 through 3.1.2
- Deployments using default hostname-char-set with empty hostname-char-replacement and a configured ddns-qualifying-suffix
Discovery Timeline
- 2025-10-29 - CVE-2025-11232 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-11232
Vulnerability Analysis
The vulnerability resides in the hostname sanitization logic of kea-dhcp4. When a DHCP client supplies option content containing characters that match the default hostname-char-set regex [^A-Za-z0-9.-], Kea attempts to substitute them using hostname-char-replacement. If the replacement string is empty and a ddns-qualifying-suffix is configured, the server mishandles the resulting buffer and exits unexpectedly.
The issue is reachable without authentication because DHCP message processing accepts client-supplied option content during normal lease negotiation. An attacker on the same broadcast domain, or any network path reaching the DHCP service, can deliver the malicious option. Successful exploitation halts the DHCP service, preventing clients from obtaining or renewing leases.
Root Cause
The root cause is improper handling of an out-of-range pointer offset (CWE-823) during hostname character substitution. Empty replacement strings combined with a qualifying suffix lead to incorrect buffer arithmetic when the sanitization routine processes disallowed characters in client-supplied hostname data.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker sends a DHCP request containing option content with characters disallowed by the default hostname-char-set. The crafted request triggers the faulty substitution path, causing the kea-dhcp4 process to terminate. Refer to the ISC CVE-2025-11232 Advisory for protocol-level details.
No verified public proof-of-concept code is available. The Openwall OSS Security Discussion provides additional context from the maintainers.
Detection Methods for CVE-2025-11232
Indicators of Compromise
- Unexpected termination or repeated restarts of the kea-dhcp4 process logged by the service manager
- DHCP server logs ending abruptly during processing of a client hostname option
- Sudden gaps in lease assignments correlated with DHCP request bursts from a single client MAC address
Detection Strategies
- Monitor kea-dhcp4 exit codes and crash signals through systemd or process supervisors and alert on unscheduled exits
- Inspect DHCP request packets for hostname option values containing characters outside [A-Za-z0-9.-] when a ddns-qualifying-suffix is configured
- Correlate DHCP service outages with inbound DHCPDISCOVER or DHCPREQUEST traffic patterns from new or unrecognized clients
Monitoring Recommendations
- Forward kea-dhcp4 syslog output to a centralized logging platform and create alerts on process termination events
- Track DHCP lease issuance rate as a service health metric and trigger alerts when issuance drops to zero unexpectedly
- Capture packet samples at DHCP relay agents to retain forensic evidence of malformed option content for post-incident analysis
How to Mitigate CVE-2025-11232
Immediate Actions Required
- Upgrade ISC Kea to a fixed release as documented in the ISC CVE-2025-11232 Advisory
- Audit kea-dhcp4.conf for the vulnerable configuration combination and apply a temporary workaround until patched
- Restrict DHCP traffic to trusted network segments using switch port security and DHCP snooping
Patch Information
ISC has published fixed releases for the affected branches. Administrators should consult the ISC CVE-2025-11232 Advisory for the specific patched versions and upgrade instructions. The Openwall OSS Security Discussion provides additional remediation context from the maintainers.
Workarounds
- Set hostname-char-replacement to a non-empty value such as "x" to avoid the faulty substitution path
- Clear ddns-qualifying-suffix so the vulnerable code path is not reached during hostname processing
- Override hostname-char-set with a permissive regex that does not require replacement for typical client hostnames
# Configuration example - apply one of these mitigations in kea-dhcp4.conf
{
"Dhcp4": {
"hostname-char-set": "[^A-Za-z0-9.-]",
"hostname-char-replacement": "x",
"ddns-qualifying-suffix": "example.org"
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
