CVE-2026-3608 Overview
CVE-2026-3608 is a denial of service vulnerability affecting ISC Kea, an open-source DHCP server software suite. The vulnerability allows remote attackers to crash multiple Kea daemons by sending maliciously crafted messages to the kea-ctrl-agent, kea-dhcp-ddns, kea-dhcp4, or kea-dhcp6 daemons through any configured API socket or High Availability (HA) listener. When exploited, the receiving daemon exits with a stack overflow error, disrupting DHCP services across the network.
This vulnerability is classified as CWE-617 (Reachable Assertion), indicating that an assertion in the code can be triggered by remote input, causing the application to terminate unexpectedly.
Critical Impact
Exploitation of this vulnerability can cause complete denial of DHCP services, preventing network devices from obtaining IP addresses and disrupting network connectivity across enterprise environments.
Affected Products
- ISC Kea versions 2.6.0 through 2.6.4
- ISC Kea versions 3.0.0 through 3.0.2
- All deployments using configured API sockets or HA listeners
Discovery Timeline
- 2026-03-25 - CVE-2026-3608 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-3608
Vulnerability Analysis
The vulnerability exists in the message handling logic of multiple ISC Kea daemons. When these daemons receive a specially crafted message via their API socket or HA listener interface, they fail to properly validate the input before processing. This leads to excessive recursion or memory allocation that triggers a stack overflow condition, causing the daemon to terminate abruptly.
The network-accessible nature of this vulnerability means attackers can exploit it remotely without authentication. No user interaction is required, and the attack complexity is low, making this vulnerability particularly dangerous for organizations running exposed Kea DHCP services.
Root Cause
The root cause is improper handling of deeply nested or malformed JSON structures in the control channel messages. The affected daemons use recursive parsing functions that do not adequately limit recursion depth, allowing an attacker to craft messages that exhaust the stack space. This is classified under CWE-617 (Reachable Assertion), as the stack overflow ultimately triggers an assertion failure that terminates the process.
Attack Vector
The attack is conducted over the network by sending malformed messages to the Kea daemon's control channel. Attackers can target:
- API Sockets: The control agent socket used for administrative commands
- HA Listeners: High Availability communication channels between Kea servers
- DHCP Control Channels: Direct communication with kea-dhcp4 or kea-dhcp6 daemons
The attacker crafts a message with deeply nested JSON structures or other malformed content that causes the parsing functions to recurse excessively. When the stack limit is reached, the daemon crashes immediately, denying DHCP services to all clients.
Since no authentication is required to send messages to these endpoints in many configurations, any network-accessible attacker can trigger this vulnerability.
Detection Methods for CVE-2026-3608
Indicators of Compromise
- Unexpected termination of kea-ctrl-agent, kea-dhcp-ddns, kea-dhcp4, or kea-dhcp6 processes
- System logs containing stack overflow or segmentation fault errors from Kea daemons
- Repeated daemon crashes followed by automatic restarts
- Network clients reporting DHCP service unavailability
Detection Strategies
- Monitor Kea daemon process stability and configure alerting for unexpected terminations
- Analyze network traffic to Kea control sockets for unusually large or malformed JSON payloads
- Implement intrusion detection rules to identify suspicious patterns in API socket communications
- Review systemd or process manager logs for recurring Kea daemon failures
Monitoring Recommendations
- Deploy network monitoring to detect anomalous traffic patterns targeting DHCP server ports
- Configure centralized logging for all Kea daemon events and crash dumps
- Establish baseline metrics for normal Kea daemon operation to identify deviations
- Implement real-time alerting for DHCP service disruptions
How to Mitigate CVE-2026-3608
Immediate Actions Required
- Upgrade to ISC Kea version 2.6.5 or 3.0.3 immediately to patch this vulnerability
- Restrict network access to Kea API sockets and HA listeners to trusted management networks only
- Review firewall rules to ensure Kea control channels are not exposed to untrusted networks
- Monitor Kea daemon logs for signs of exploitation attempts
Patch Information
ISC has released patched versions that address this vulnerability:
- Kea 2.6.5: Available for download from ISC Kea Download 2.6.5
- Kea 3.0.3: Available for download from ISC Kea Download 3.0.3
For detailed information about the vulnerability and remediation steps, refer to the ISC Knowledge Base article for CVE-2026-3608. Additional community discussion is available on the OpenWall OSS-Security mailing list.
Workarounds
- Implement network segmentation to isolate Kea control interfaces from untrusted networks
- Configure host-based firewalls to allow API socket connections only from authorized management hosts
- Deploy a reverse proxy with input validation in front of the Kea control agent
- Temporarily disable unused HA listeners if high availability is not required
# Example: Restrict access to Kea control socket using firewall rules
# Allow only trusted management network to access kea-ctrl-agent
iptables -A INPUT -p tcp --dport 8000 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8000 -j DROP
# Alternatively, configure Kea to listen only on localhost
# In kea-ctrl-agent.conf, set:
# "http-host": "127.0.0.1"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
