A HIGH-severity vulnerability identified as CVE-2026-3608 has been published on March 25, 2026 with a CVSS base score of 7.5. This security advisory provides a detailed breakdown of the vulnerability, its potential impact, weakness classification, and actionable steps to protect your systems.
Vulnerability Details
CVE ID: CVE-2026-3608
Severity: HIGH
CVSS Score: 7.5
Published: March 25, 2026
Weakness (CWE): CWE-617
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Confidentiality Impact | None |
| Integrity Impact | None |
| Availability Impact | High |
Technical Description
Sending a maliciously crafted message to the kea-ctrl-agent, kea-dhcp-ddns, kea-dhcp4, or kea-dhcp6 daemons over any configured API socket or HA listener can cause the receiving daemon to exit with a stack overflow error. This issue affects Kea versions 2.6.0 through 2.6.4 and 3.0.0 through 3.0.2.
Potential Impact
If exploited, this high-severity vulnerability could allow an attacker to cause a denial of service. Organizations running affected software should treat this as a priority remediation item.
Recommended Action
No official patch is available yet. Until one is released:
- Monitor the official NVD page and vendor channels for patch announcements.
- Restrict access to the affected system or service where possible.
- Apply network-level mitigations such as firewall rules or WAF policies.
- Enable logging and alerting for anomalous activity related to this vulnerability.
- Review your incident response plan in case of active exploitation.
References
Related Security Advisories
- [HIGH] CVE-2025-41660 — CVSS 8.8 (March 24, 2026) — HIGH / CVSS 8.8
- [HIGH] CVE-2026-3509 — CVSS 7.5 (March 24, 2026) — HIGH / CVSS 7.5
- [HIGH] CVE-2026-4579 — CVSS 7.3 (March 23, 2026) — HIGH / CVSS 7.3
![[HIGH] CVE-2026-0234 — CVSS 7.2 (April 13, 2026)](https://atlas-cybersecurity.com/wp-content/plugins/elementor/assets/images/placeholder.png)
