Introduction
This is a complete list of all Kea security advisories, both current and historical. Advisories apply only to particular versions of Kea, and this list makes no attempt to differentiate. Consult the individual advisories to determine which Kea version(s) the advisory applies to.
Advisories are listed by date, most recent first. The release date is the date of public disclosure.
Advisories
| CVE ID | Title | Released |
|---|---|---|
| CVE-2026-3608 | Stack overflow in Kea daemons | 2026-03-25 |
| CVE-2025-11232 | Invalid characters cause assert | 2025-10-29 |
| CVE-2025-40779 | Kea crash upon interaction between specific client options and subnet selection | 2025-08-27 |
| CVE-2025-32803 | Insecure file permissions can result in confidential information leakage | 2025-05-28 |
| CVE-2025-32802 | Insecure handling of file paths allows multiple local attacks | 2025-05-28 |
| CVE-2025-32801 | Loading a malicious hook library can lead to local privilege escalation | 2025-05-28 |
| CVE-2019-6474 | An oversight when validating incoming client requests can lead to a situation where the Kea server will exit when trying to restart | 2019-08-28 |
| CVE-2019-6473 | An invalid hostname option can cause the kea-dhcp4 server to terminate | 2019-08-28 |
| CVE-2019-6472 | A packet containing a malformed DUID can cause the kea-dhcp6 server to terminate | 2019-08-28 |
| CVE-2018-5739 | ISC Kea 1.4.0 failure to release memory may exhaust system resources | 2018-07-11 |
| CVE-2015-8373 | ISC Kea: unexpected termination while handling a malformed packet | 2015-12-22 |