rpm package
almalinux/kea-doc
pkg:rpm/almalinux/kea-doc
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-3608 | — | < 3.0.1-3.el10_1 | 3.0.1-3.el10_1 | Mar 25, 2026 | Sending a maliciously crafted message to the kea-ctrl-agent, kea-dhcp-ddns, kea-dhcp4, or kea-dhcp6 daemons over any configured API socket or HA listener can cause the receiving daemon to exit with a stack overflow error. This issue affects Kea versions 2.6.0 through 2.6.4 and 3. | ||
| CVE-2025-11232 | Hig | 7.5 | < 3.0.1-2.el10_1 | 3.0.1-2.el10_1 | Oct 29, 2025 | To trigger the issue, three configuration parameters must have specific settings: "hostname-char-set" must be left at the default setting, which is "[^A-Za-z0-9.-]"; "hostname-char-replacement" must be empty (the default); and "ddns-qualifying-suffix" must *NOT* be empty (the def | |
| CVE-2025-32803 | Med | 4.0 | < 2.6.3-1.el10_0 | 2.6.3-1.el10_0 | May 28, 2025 | In some cases, Kea log files or lease files may be world-readable. This issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8. | |
| CVE-2025-32802 | Med | 6.1 | < 2.6.3-1.el10_0 | 2.6.3-1.el10_0 | May 28, 2025 | Kea configuration and API directives can be used to overwrite arbitrary files, subject to permissions granted to Kea. Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the control sockets in insecure paths. This issue affec | |
| CVE-2025-32801 | Hig | 7.8 | < 2.6.3-1.el10_0 | 2.6.3-1.el10_0 | May 28, 2025 | Kea configuration and API directives can be used to load a malicious hook library. Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the control sockets in insecure paths. This issue affects Kea versions 2.4.0 through 2.4.1 |
- CVE-2026-3608Mar 25, 2026affected < 3.0.1-3.el10_1fixed 3.0.1-3.el10_1
Sending a maliciously crafted message to the kea-ctrl-agent, kea-dhcp-ddns, kea-dhcp4, or kea-dhcp6 daemons over any configured API socket or HA listener can cause the receiving daemon to exit with a stack overflow error. This issue affects Kea versions 2.6.0 through 2.6.4 and 3.
- affected < 3.0.1-2.el10_1fixed 3.0.1-2.el10_1
To trigger the issue, three configuration parameters must have specific settings: "hostname-char-set" must be left at the default setting, which is "[^A-Za-z0-9.-]"; "hostname-char-replacement" must be empty (the default); and "ddns-qualifying-suffix" must *NOT* be empty (the def
- affected < 2.6.3-1.el10_0fixed 2.6.3-1.el10_0
In some cases, Kea log files or lease files may be world-readable. This issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8.
- affected < 2.6.3-1.el10_0fixed 2.6.3-1.el10_0
Kea configuration and API directives can be used to overwrite arbitrary files, subject to permissions granted to Kea. Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the control sockets in insecure paths. This issue affec
- affected < 2.6.3-1.el10_0fixed 2.6.3-1.el10_0
Kea configuration and API directives can be used to load a malicious hook library. Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the control sockets in insecure paths. This issue affects Kea versions 2.4.0 through 2.4.1