What is CVE-2026-3608?

CVE-2026-3608 is a high-severity vulnerability in Isc Kea, classified under Reachable Assertion. CVSS score: 7.5/10. Published 2026-03-25.

How severe is CVE-2026-3608?

High severity. CVSS v3 base score is 7.5 out of 10.

Vulnerability in Isc Kea

CVE-2026-3608

Sending a maliciously crafted message to the kea-ctrl-agent, kea-dhcp-ddns, kea-dhcp4, or kea-dhcp6 daemons over any configured API socket or HA listener can cause the receiving daemon to exit with a stack overflow error. This issue affect…

EPSS: 0.000 (1.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

Affected products

Isc Kea — versions 2.6.0, 3.0.0

Weakness classification (CWE)

CWE-617 — Reachable Assertion

References

CVE-2026-3608 (vendor-advisory)
downloads.isc.org/isc/kea/2.6.5 (patch)
downloads.isc.org/isc/kea/3.0.3 (patch)

Frequently asked questions

What is CVE-2026-3608?: CVE-2026-3608 is a high-severity vulnerability in Isc Kea, classified under Reachable Assertion. CVSS score: 7.5/10. Published 2026-03-25.
How severe is CVE-2026-3608?: High severity. CVSS v3 base score is 7.5 out of 10.