CVE-2025-11232 is a vulnerability classified under CWE-823 (Use of Out-of-range Pointer Offset) affecting ISC Kea DHCP server versions 3.0.1 and 3.1.1. The flaw arises when three configuration parameters are set in a specific manner: the "hostname-char-set" remains at its default regex value "[^A-Za-z0-9.-]", "hostname-char-replacement" is left empty, and "ddns-qualifying-suffix" is set to a non-empty string. Under these conditions, a specially crafted DHCP client request containing certain option content can trigger an out-of-bounds pointer dereference in the kea-dhcp4 process, causing it to exit unexpectedly. This results in a denial-of-service (DoS) condition by crashing the DHCP server process. Notably, Dynamic DNS (DDNS) updates do not need to be enabled for the vulnerability to manifest. The vulnerability can be exploited remotely without requiring any privileges or user interaction, increasing its risk profile. Although no public exploits have been reported yet, the CVSS v3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) indicates a high severity focused on availability impact. The root cause is improper bounds checking leading to an out-of-range pointer offset during processing of DHCP options under the specified configuration. This vulnerability could disrupt DHCP services, impacting IP address assignment and network connectivity for clients relying on affected servers.

For European organizations, the primary impact of CVE-2025-11232 is denial of service against DHCP infrastructure. DHCP servers running vulnerable Kea versions may crash upon receiving malicious DHCP requests, causing loss of IP address assignment services. This can lead to widespread network outages, affecting enterprise operations, critical infrastructure, and public services dependent on reliable network connectivity. The lack of authentication or user interaction requirements means attackers can remotely trigger the crash, potentially from within or outside the network perimeter. Organizations with large-scale deployments of ISC Kea in data centers, ISPs, or government networks could experience significant operational disruption. Additionally, the downtime may increase exposure to secondary attacks due to loss of network controls. Although no confidentiality or integrity impact is indicated, the availability impact alone can have severe consequences for business continuity and service delivery in sectors such as finance, healthcare, telecommunications, and public administration across Europe.

To mitigate CVE-2025-11232, organizations should first verify if their Kea DHCP servers are running affected versions 3.0.1 or 3.1.1. Immediate mitigation can be achieved by modifying configuration parameters to avoid the vulnerable state: specifically, ensure that either "hostname-char-set" is changed from its default, "hostname-char-replacement" is set to a non-empty value, or "ddns-qualifying-suffix" remains empty. This configuration change prevents the out-of-range pointer offset from being triggered. Organizations should monitor ISC advisories and apply official patches or upgrades as soon as they become available. Network-level protections such as DHCP request filtering or rate limiting can reduce exposure to malicious DHCP packets. Implementing robust network segmentation and monitoring DHCP server logs for abnormal crashes or restarts can aid in early detection. Regular backups and failover DHCP servers can minimize downtime impact. Finally, conducting internal penetration testing to simulate exploit attempts can validate the effectiveness of mitigations.