CVE Alert: CVE-2025-40779 – ISC – Kea
CVE-2025-40779
If a DHCPv4 client sends a request with some specific options, and Kea fails to find an appropriate subnet for the client, the `kea-dhcp4` process will abort with an assertion failure. This happens only if the client request is unicast directly to Kea; broadcast messages do not cause the problem. This issue affects Kea versions 2.7.1 through 2.7.9, 3.0.0, and 3.1.0.
AI Summary Analysis
Risk verdict
Why this matters
Most likely attack path
Who is most exposed
Detection ideas
- Crashes or core dumps from the kea-dhcp4 process.
- Logs showing assertion failures or NULL pointer dereferences.
- Sudden restarts of the DHCP service and spikes in error-level events.
- Unusual/unusual-option DHCP requests arriving via unicast to the server.
- Correlated timing with specific client option submissions.
Mitigation and prioritisation
- Patch to the patched release: upgrade to 3.0.1 or 3.1.1; test in a staging environment before production rollout.
- If patching is delayed, restrict unicast DHCPv4 traffic to trusted segments and implement network ACLs/firewall rules limiting access to the DHCP server.
- Ensure robust monitoring and enable detailed DHCP logs; prepare for potential rapid rollback if instability occurs.
- Change-management: schedule within next maintenance window; coordinate with network and operations teams.
- If KEV is present or EPSS ≥ 0.5, treat as priority 1. Data not provided; monitor for those signals and adjust accordingly.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
