{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3608", "assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22", "state": "PUBLISHED", "assignerShortName": "isc", "dateReserved": "2026-03-05T17:47:36.088Z", "datePublished": "2026-03-25T08:46:48.992Z", "dateUpdated": "2026-03-25T17:22:19.777Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "404fd4d2-a609-4245-b543-2c944a302a22", "shortName": "isc", "dateUpdated": "2026-03-25T08:46:48.992Z"}, "title": "Stack overflow in Kea daemons", "datePublic": "2026-03-25T00:00:00.000Z", "affected": [{"vendor": "ISC", "product": "Kea", "versions": [{"version": "2.6.0", "lessThanOrEqual": "2.6.4", "status": "affected", "versionType": "custom"}, {"version": "3.0.0", "lessThanOrEqual": "3.0.2", "status": "affected", "versionType": "custom"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"nodes": [{"operator": "OR", "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:isc:kea:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.0", "versionEndIncluding": "2.6.4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:isc:kea:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0.0", "versionEndIncluding": "3.0.2"}]}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-617", "description": "CWE-617 Reachable Assertion"}]}], "descriptions": [{"lang": "en", "value": "Sending a maliciously crafted message to the kea-ctrl-agent, kea-dhcp-ddns, kea-dhcp4, or kea-dhcp6 daemons over any configured API socket or HA listener can cause the receiving daemon to exit with a stack overflow error.\nThis issue affects Kea versions 2.6.0 through 2.6.4 and 3.0.0 through 3.0.2."}], "impacts": [{"descriptions": [{"lang": "en", "value": "Loss of DHCP services"}]}], "workarounds": [{"lang": "en", "value": "Securing the API sockets with TLS, and requiring the client to authenticate with a certificate (mutual authentication), prevents the attacker from establishing an API connection to Kea. Set cert-required to true (the default) to require a client certificate. See: https://kea.readthedocs.io/en/stable/arm/security.html#tls-https-configuration"}], "exploits": [{"lang": "en", "value": "We are not aware of any active exploits."}], "solutions": [{"lang": "en", "value": "Upgrade to the patched release most closely related to your current version of Kea: 2.6.5 or 3.0.3."}], "credits": [{"lang": "en", "value": "ISC would like to thank Ali Norouzi of Keysight for bringing this vulnerability to our attention."}], "references": [{"url": "https://kb.isc.org/docs/cve-2026-3608", "name": "CVE-2026-3608", "tags": ["vendor-advisory"]}, {"url": "https://downloads.isc.org/isc/kea/2.6.5", "tags": ["patch"]}, {"url": "https://downloads.isc.org/isc/kea/3.0.3", "tags": ["patch"]}], "source": {"discovery": "EXTERNAL"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T13:26:04.073699Z", "id": "CVE-2026-3608", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:26:12.153Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/03/25/6"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-25T17:22:19.777Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/03/25/6"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-25T17:22:19.777Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3608", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T13:26:04.073699Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:26:07.634Z"}}], "cna": {"title": "Stack overflow in Kea daemons", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "value": "ISC would like to thank Ali Norouzi of Keysight for bringing this vulnerability to our attention."}], "impacts": [{"descriptions": [{"lang": "en", "value": "Loss of DHCP services"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "ISC", "product": "Kea", "versions": [{"status": "affected", "version": "2.6.0", "versionType": "custom", "lessThanOrEqual": "2.6.4"}, {"status": "affected", "version": "3.0.0", "versionType": "custom", "lessThanOrEqual": "3.0.2"}], "defaultStatus": "unaffected"}], "exploits": [{"lang": "en", "value": "We are not aware of any active exploits."}], "solutions": [{"lang": "en", "value": "Upgrade to the patched release most closely related to your current version of Kea: 2.6.5 or 3.0.3."}], "datePublic": "2026-03-25T00:00:00.000Z", "references": [{"url": "https://kb.isc.org/docs/cve-2026-3608", "name": "CVE-2026-3608", "tags": ["vendor-advisory"]}, {"url": "https://downloads.isc.org/isc/kea/2.6.5", "tags": ["patch"]}, {"url": "https://downloads.isc.org/isc/kea/3.0.3", "tags": ["patch"]}], "workarounds": [{"lang": "en", "value": "Securing the API sockets with TLS, and requiring the client to authenticate with a certificate (mutual authentication), prevents the attacker from establishing an API connection to Kea. Set cert-required to true (the default) to require a client certificate. See: https://kea.readthedocs.io/en/stable/arm/security.html#tls-https-configuration"}], "descriptions": [{"lang": "en", "value": "Sending a maliciously crafted message to the kea-ctrl-agent, kea-dhcp-ddns, kea-dhcp4, or kea-dhcp6 daemons over any configured API socket or HA listener can cause the receiving daemon to exit with a stack overflow error.\nThis issue affects Kea versions 2.6.0 through 2.6.4 and 3.0.0 through 3.0.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-617", "description": "CWE-617 Reachable Assertion"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:isc:kea:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "2.6.4", "versionStartIncluding": "2.6.0"}, {"criteria": "cpe:2.3:a:isc:kea:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "3.0.2", "versionStartIncluding": "3.0.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "404fd4d2-a609-4245-b543-2c944a302a22", "shortName": "isc", "dateUpdated": "2026-03-25T08:46:48.992Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3608", "state": "PUBLISHED", "dateUpdated": "2026-03-25T17:22:19.777Z", "dateReserved": "2026-03-05T17:47:36.088Z", "assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22", "datePublished": "2026-03-25T08:46:48.992Z", "assignerShortName": "isc"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Sending a maliciously crafted message to the kea-ctrl-agent, kea-dhcp-ddns, kea-dhcp4, or kea-dhcp6 daemons over any configured API socket or HA listener can cause the receiving daemon to exit with a stack overflow error.\nThis issue affects Kea versions 2.6.0 through 2.6.4 and 3.0.0 through 3.0.2."}], "id": "CVE-2026-3608", "lastModified": "2026-03-25T18:16:32.853", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-officer@isc.org", "type": "Secondary"}]}, "published": "2026-03-25T09:16:25.810", "references": [{"source": "security-officer@isc.org", "url": "https://downloads.isc.org/isc/kea/2.6.5"}, {"source": "security-officer@isc.org", "url": "https://downloads.isc.org/isc/kea/3.0.3"}, {"source": "security-officer@isc.org", "url": "https://kb.isc.org/docs/cve-2026-3608"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/03/25/6"}], "sourceIdentifier": "security-officer@isc.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-617"}], "source": "security-officer@isc.org", "type": "Secondary"}]}

{"bugzilla": {"description": "Kea: Kea: Denial of Service via maliciously crafted message", "id": "2451139", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451139"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-617", "details": ["A flaw was found in Kea. A remote attacker can send a maliciously crafted message to the kea-ctrl-agent, kea-dhcp-ddns, kea-dhcp4, or kea-dhcp6 daemons over any configured API socket or HA listener. This can cause a stack overflow error, leading to the daemon exiting and resulting in a Denial of Service (DoS)."], "name": "CVE-2026-3608", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kea", "product_name": "Red Hat Enterprise Linux 10"}], "public_date": "2026-03-25T08:46:48Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-3608\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-3608\nhttps://downloads.isc.org/isc/kea/2.6.5\nhttps://downloads.isc.org/isc/kea/3.0.3\nhttps://kb.isc.org/docs/cve-2026-3608"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.6.0,2.6.4]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.0,3.0.2]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Kea", "source": "cna", "vendor": "ISC"}, "product": "kea", "vendor": "isc"}], "analysis": {"en": {"generated_at": "2026-03-25T10:50:30.959829+00:00", "value": {"mitigation_remediation": ["Upgrade Kea to a patched release that matches your current version, such as 2.6.5 or 3.0.3.", "If an upgrade cannot be applied immediately, enable TLS on the API sockets and enforce mutual authentication by setting cert-required to true.", "Limit exposure of the API socket or HA listener to trusted hosts or networks using firewall rules or network segmentation."], "summary": {"action": "Apply Patch", "impact": "Denial of Service via stack overflow"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the ISC Kea DHCP suite, including kea\u2011ctrl\u2011agent, kea\u2011dhcp\u2011ddns, kea\u2011dhcp4, and kea\u2011dhcp6. Versions 2.6.0 through 2.6.4 and 3.0.0 through 3.0.2 on any platform that exposes an API socket or HA listener are susceptible.", "description_and_impact": "A crafted message sent to any of the Kea daemons that listen on an API socket or HA listener can cause a stack overflow, terminating the daemon. The result is a denial\u2011of\u2011service condition; the affected service stops until restarted and no code execution is possible.", "risk_and_exploitability": "The severity score is 7.5, placing the issue in the high range. No EPSS score is available, and it is not listed in the CISA Known Exploited Vulnerabilities catalog. An attacker with network access to the exposed API endpoint can trigger the overflow without privileged access. Prompt remediation is advised, especially if the sockets are reachable from untrusted networks."}}}}, "created": "2026-03-25T21:15:53.287745+00:00", "updated": "2026-03-26T11:51:27.549288+00:00", "vendors": ["isc", "isc$PRODUCT$kea"]}