PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-3608 ISC CVE debrief

CVE-2026-3608 is a high-severity vulnerability in the Kea DHCP server, which can be exploited by sending a maliciously crafted message to the kea-ctrl-agent, kea-dhcp-ddns, kea-dhcp4, or kea-dhcp6 daemons. This can cause the receiving daemon to exit with a stack overflow error. The vulnerability affects Kea versions 2.6.0 through 2.6.4 and 3.0.0 through 3.0.2. Users of affected versions should update to a patched version as soon as possible. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 7.5, indicating a high level of severity. The vulnerability was publicly disclosed on March 25, 2026, and has been modified on June 30, 2026.

Vendor
ISC
Product
Kea
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-25
Original CVE updated
2026-06-30
Advisory published
2026-03-25
Advisory updated
2026-06-30

Who should care

Users of Kea versions 2.6.0 through 2.6.4 and 3.0.0 through 3.0.2 should be aware of this vulnerability and take steps to mitigate it. This includes updating to a patched version of Kea and monitoring for any suspicious activity. Additionally, administrators of systems that use Kea should review their configurations and ensure that they are not exposed to untrusted networks.

Technical summary

CVE-2026-3608 is a stack overflow vulnerability in the Kea DHCP server. It can be exploited by sending a maliciously crafted message to the kea-ctrl-agent, kea-dhcp-ddns, kea-dhcp4, or kea-dhcp6 daemons over any configured API socket or HA listener. This can cause the receiving daemon to exit with a stack overflow error. The vulnerability has a CVSS score of 7.5 and is considered high-severity. The affected versions of Kea are 2.6.0 through 2.6.4 and 3.0.0 through 3.0.2.

Defensive priority

High

Recommended defensive actions

  • Update to a patched version of Kea (2.6.5 or later, or 3.0.3 or later) as soon as possible.
  • Monitor for any suspicious activity on systems that use Kea.
  • Review Kea configurations to ensure they are not exposed to untrusted networks.
  • Implement network segmentation to limit the spread of the vulnerability.
  • Conduct regular vulnerability scans to detect and address any potential issues.

Evidence notes

The vulnerability was publicly disclosed on March 25, 2026, and has been modified on June 30, 2026. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 7.5, indicating a high level of severity. The affected versions of Kea are 2.6.0 through 2.6.4 and 3.0.0 through 3.0.2.

Official resources

This article was generated with AI assistance and is based on the supplied source corpus.