CVE-2026-3608

HIGH 7.5

Stack overflow in Kea daemons

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

4th

Sending a maliciously crafted message to the kea-ctrl-agent, kea-dhcp-ddns, kea-dhcp4, or kea-dhcp6 daemons over any configured API socket or HA listener can cause the receiving daemon to exit with a stack overflow error. This issue affects Kea versions 2.6.0 through 2.6.4 and 3.0.0 through 3.0.2.

CWE	CWE-617
Vendor	isc
Product	kea
Published	Mar 25, 2026
Last Updated	Mar 25, 2026

Stay Ahead of the Next One

Get instant alerts for isc kea

Be the first to know when new high vulnerabilities affecting isc kea are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Affected Versions

ISC / Kea

2.6.0 ≤ 2.6.4 3.0.0 ≤ 3.0.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

kb.isc.org: https://kb.isc.org/docs/cve-2026-3608 downloads.isc.org: https://downloads.isc.org/isc/kea/2.6.5 downloads.isc.org: https://downloads.isc.org/isc/kea/3.0.3 openwall.com: http://www.openwall.com/lists/oss-security/2026/03/25/6

Credits

ISC would like to thank Ali Norouzi of Keysight for bringing this vulnerability to our attention.