PatchSiren cyber security CVE debrief
CVE-2026-3608 ISC CVE debrief
CVE-2026-3608 is a high-severity vulnerability in the Kea DHCP server, which can be exploited by sending a maliciously crafted message to the kea-ctrl-agent, kea-dhcp-ddns, kea-dhcp4, or kea-dhcp6 daemons. This can cause the receiving daemon to exit with a stack overflow error. The vulnerability affects Kea versions 2.6.0 through 2.6.4 and 3.0.0 through 3.0.2. Users of affected versions should update to a patched version as soon as possible. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 7.5, indicating a high level of severity. The vulnerability was publicly disclosed on March 25, 2026, and has been modified on June 30, 2026.
- Vendor
- ISC
- Product
- Kea
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-25
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-03-25
- Advisory updated
- 2026-06-30
Who should care
Users of Kea versions 2.6.0 through 2.6.4 and 3.0.0 through 3.0.2 should be aware of this vulnerability and take steps to mitigate it. This includes updating to a patched version of Kea and monitoring for any suspicious activity. Additionally, administrators of systems that use Kea should review their configurations and ensure that they are not exposed to untrusted networks.
Technical summary
CVE-2026-3608 is a stack overflow vulnerability in the Kea DHCP server. It can be exploited by sending a maliciously crafted message to the kea-ctrl-agent, kea-dhcp-ddns, kea-dhcp4, or kea-dhcp6 daemons over any configured API socket or HA listener. This can cause the receiving daemon to exit with a stack overflow error. The vulnerability has a CVSS score of 7.5 and is considered high-severity. The affected versions of Kea are 2.6.0 through 2.6.4 and 3.0.0 through 3.0.2.
Defensive priority
High
Recommended defensive actions
- Update to a patched version of Kea (2.6.5 or later, or 3.0.3 or later) as soon as possible.
- Monitor for any suspicious activity on systems that use Kea.
- Review Kea configurations to ensure they are not exposed to untrusted networks.
- Implement network segmentation to limit the spread of the vulnerability.
- Conduct regular vulnerability scans to detect and address any potential issues.
Evidence notes
The vulnerability was publicly disclosed on March 25, 2026, and has been modified on June 30, 2026. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 7.5, indicating a high level of severity. The affected versions of Kea are 2.6.0 through 2.6.4 and 3.0.0 through 3.0.2.
Official resources
-
CVE-2026-3608 CVE record
CVE.org
-
CVE-2026-3608 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
- Source reference
- Source reference
-
Source reference
af854a3a-2127-422b-91ae-364da2661108
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article was generated with AI assistance and is based on the supplied source corpus.