Kea DHCP Stack Overflow: A Practical Guide to Checking, Patching, and Blocking (CVE-2026-3608)

 

A stack overflow in Kea DHCP (CVE-2026-3608) can crash your DHCP servers remotely. Learn to check, patch, or block it with iptables. Includes automation scripts for Ubuntu, Rocky, and SUSE. No fluff, just commands.

Historical context: In April 2026, a security update (SUSE-SU-2026:1548-1) was released for a stack overflow vulnerability in Kea DHCP (CVE-2026-3608). The issue allowed a remote, unauthenticated attacker to crash the kea-ctrl-agent, kea-dhcp-ddns, kea-dhcp4, or kea-dhcp6 services using a specially crafted message.

But here’s the thing: this same mistake happens every couple of years in network services. That’s why this guide stays useful. You’ll learn how to check for similar stack overflows, apply the fix automatically, and block attacks when you can’t update right away.

How to check if you are vulnerable (actual commands)

Run these commands to see if your Kea version is below 2.6.5 (the fixed release). Works on Ubuntu 22.04 / 24.04, Rocky Linux 8 / 9, and SUSE Leap 15.6.

bash

# Check installed version
kea-dhcp4 -v | grep "Kea DHCPv4 server version"
# Or for package-based check
dpkg -l | grep kea
# Expected fixed version: 2.6.5 or higher

Rocky Linux / RHEL / Fedora

bash

rpm -qa | grep kea
kea-dhcp4 -v
# Fixed version: 2.6.5-1 or later

SUSE / openSUSE Leap 15.6

bash

zypper info kea | grep Version
# Or
rpm -q kea
# Fixed version: 2.6.5-150600.13.9.1 or higher

What to look for: If your version is older than 2.6.5, you’re vulnerable. The CVSS score is 7.5 (high) for availability – attackers can knock your DHCP offline.

Automation script to apply the fix

Save this as fix-kea-stack-overflow.sh and run it as root. It detects your distro and updates Kea to the patched version.

bash

#!/bin/bash
# Fix for CVE-2026-3608 style stack overflow in Kea DHCP
# Works on Ubuntu, Rocky, SUSE

set -e

echo "Checking Kea version and applying security fix..."

if [ -f /etc/os-release ]; then
    . /etc/os-release
    OS=$ID
    VER=$VERSION_ID
else
    echo "Cannot detect OS. Exiting."
    exit 1
fi

case $OS in
    ubuntu|debian)
        apt update
        apt install --only-upgrade kea-dhcp4 kea-dhcp6 kea-ctrl-agent kea-dhcp-ddns -y
        systemctl restart kea-dhcp4-server kea-dhcp6-server
        ;;
    rocky|rhel|centos)
        dnf update kea -y
        systemctl restart kea-dhcp4 kea-dhcp6
        ;;
    suse|opensuse-leap)
        zypper patch --cve=CVE-2026-3608 -y
        # Or full update: zypper update kea -y
        systemctl restart kea-dhcp4 kea-dhcp6
        ;;
    *)
        echo "Unsupported OS: $OS"
        exit 1
        ;;
esac

echo "Fix applied. Verify with: kea-dhcp4 -v | grep version"

Make it executable and run:

bash

chmod +x fix-kea-stack-overflow.sh
sudo ./fix-kea-stack-overflow.sh

Alternative mitigation if you can’t update now

Sometimes you can’t reboot or upgrade because of change control or legacy dependencies. Here’s how to block the attack without patching.

Option 1: iptables rate-limit or block suspicious traffic

The exploit sends a malformed message to UDP port 67 (DHCPv4) or 547 (DHCPv6). You can’t block DHCP entirely, but you can protect the control agent (which is often HTTP on port 8000):

bash

# Block external access to kea-ctrl-agent (default port 8000)
iptables -A INPUT -p tcp --dport 8000 -s 192.168.0.0/16 -j ACCEPT
iptables -A INPUT -p tcp --dport 8000 -j DROP

# For DHCP ports: rate-limit to reduce crash impact
iptables -A INPUT -p udp --dport 67 -m limit --limit 10/second -j ACCEPT
iptables -A INPUT -p udp --dport 67 -j DROP

Save rules:

• Ubuntu: iptables-save > /etc/iptables/rules.v4

• Rocky: service iptables save

• SUSE: iptables-save > /etc/sysconfig/iptables

Option 2: AppArmor / SELinux strict profile

bash

aa-enforce /etc/apparmor.d/usr.sbin.kea-dhcp4
systemctl restart apparmor

On Rocky (SELinux):

bash

setsebool -P kea_disable_trans 0
semodule -i kea-strict.pp   # Requires a custom policy

Option 3: Put Kea behind a reverse proxy with request filtering (advanced)

If you use kea-ctrl-agent over HTTP, put nginx in front and filter malformed JSON:

nginx

server {
    listen 8000;
    server_name _;
    client_max_body_size 1k;
    location / {
        proxy_pass http://127.0.0.1:8001;
        # Block requests with suspicious patterns
        if ($request_body ~* ".*\x00.*") { return 400; }
    }
}

Why this matters for your network

A crashed DHCP server means no new IP addresses – new devices can’t join, leases don’t renew, and after a few hours, chaos hits. The attacker doesn’t need credentials, just a single UDP packet.

Important Book: 

Using and Administering Linux: Volume 3: Zero to SysAdmin: Network Services  by David Both - Amazon 

Why it fits: 

This 2023 book covers exactly what you need after a DHCP scare – DHCP server configuration, BIND DNS, SSH security, and SELinux. The vulnerability article showed you how to patch. This book teaches you how to configure DHCP securely from scratch and integrate it with DNS using BIND. It's the most up-to-date option on this list (Fedora Linux 38) and includes automation with Ansible.

Best for: Sysadmins who want a complete, modern guide to network services including DHCP, DNS, and security hardening.

Affiliate disclosure: As an Amazon Associate, I earn from qualifying purchases. This helps me keep writing in-depth security guides – at no extra cost to you.).