CVE-2025-40779 Overview
A denial of service vulnerability exists in ISC Kea DHCP server that allows remote attackers to crash the kea-dhcp4 process by sending specially crafted DHCPv4 requests. When a DHCPv4 client sends a unicast request with specific options and Kea fails to find an appropriate subnet for the client, the server process terminates due to an assertion failure. This vulnerability specifically affects unicast messages sent directly to the Kea server; broadcast messages do not trigger the issue.
Critical Impact
Remote attackers can cause a complete denial of service of DHCP services by sending malicious unicast DHCPv4 requests, potentially disrupting network address assignment for all clients relying on the affected Kea server.
Affected Products
- ISC Kea versions 2.7.1 through 2.7.9
- ISC Kea version 3.0.0
- ISC Kea version 3.1.0
Discovery Timeline
- 2025-08-27 - CVE-2025-40779 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-40779
Vulnerability Analysis
This vulnerability is classified as CWE-476 (Null Pointer Dereference), which occurs when the application dereferences a pointer that is expected to be valid but is null. In the context of the Kea DHCPv4 server, the flaw manifests when processing unicast client requests containing specific option combinations that lead to a failed subnet lookup.
The vulnerability can be exploited remotely over the network without authentication or user interaction. An attacker can send a crafted DHCPv4 packet directly to the Kea server (unicast) that triggers the flawed code path. When the server attempts to find a matching subnet for the client and fails, instead of handling the error gracefully, the kea-dhcp4 process encounters an assertion failure and aborts execution.
Root Cause
The root cause lies in improper error handling within the subnet selection logic of the Kea DHCPv4 daemon. When specific DHCP options are present in a unicast client request and no appropriate subnet can be matched, the code path leads to an assertion that expects certain conditions to be met. When these conditions are not satisfied due to the subnet lookup failure, the assertion triggers, causing an immediate process termination.
The critical distinction is that this only affects unicast traffic—broadcast DHCP discovery packets follow a different code path that properly handles the scenario where no matching subnet is found.
Attack Vector
The attack vector is network-based and requires the attacker to be able to send unicast UDP packets to the Kea DHCP server on port 67. The attack flow involves:
- The attacker identifies a vulnerable Kea DHCPv4 server on the network
- A malformed DHCPv4 request is crafted with specific options that will cause subnet lookup to fail
- The packet is sent as a unicast message directly to the server's IP address
- Upon processing, Kea fails to find an appropriate subnet and hits the assertion failure
- The kea-dhcp4 process aborts, denying DHCP services to legitimate clients
No authentication or special privileges are required to exploit this vulnerability. The attack can be launched by any system capable of sending UDP packets to the target server.
Detection Methods for CVE-2025-40779
Indicators of Compromise
- Unexpected termination or restart of the kea-dhcp4 process
- Core dump files or crash logs indicating assertion failures in Kea
- Sudden DHCP service unavailability reported by network clients
- Log entries showing abnormal unicast DHCPv4 requests with unusual option combinations
Detection Strategies
- Monitor kea-dhcp4 process uptime and alert on unexpected restarts or terminations
- Implement network monitoring to detect unusual unicast DHCPv4 traffic patterns targeting the server directly
- Review system logs for assertion failure messages or crash reports related to kea-dhcp4
- Deploy intrusion detection rules to identify DHCPv4 packets with suspicious option configurations
Monitoring Recommendations
- Configure process monitoring to track kea-dhcp4 daemon health and automatically alert administrators on crashes
- Enable detailed logging in Kea configuration to capture information about failed subnet lookups
- Implement network flow analysis to baseline normal DHCP traffic patterns and detect anomalies
How to Mitigate CVE-2025-40779
Immediate Actions Required
- Upgrade ISC Kea to a patched version that addresses CVE-2025-40779
- Review network architecture to limit which systems can send unicast traffic to the DHCP server
- Implement firewall rules to restrict direct unicast access to the Kea server where possible
- Enable process monitoring and automatic restart capabilities for the kea-dhcp4 service
Patch Information
ISC has released security updates addressing this vulnerability. Administrators should consult the ISC CVE-2025-40779 Advisory for specific patch versions and upgrade instructions. Additional information is available via the OpenWall OSS Security Update.
Workarounds
- Implement network segmentation to prevent untrusted systems from sending unicast packets directly to the DHCP server
- Configure firewall rules to only allow DHCP relay agents and authorized systems to communicate with Kea via unicast
- Deploy a redundant DHCP server configuration to maintain service availability if one instance crashes
- Consider temporarily routing all DHCP traffic through relay agents to ensure broadcast-only communication until patching is complete
# Example: iptables rules to restrict unicast DHCP access
# Allow only from trusted DHCP relay agents
iptables -A INPUT -p udp --dport 67 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p udp --dport 67 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
