CVE-2025-11232 is a vulnerability classified under CWE-823 (Use of Out-of-range Pointer Offset) affecting ISC Kea DHCP server versions 3.0.1 and 3.1.1 through 3.1.2. The flaw is triggered when three configuration parameters are set in a specific way: the "hostname-char-set" remains at its default regex value "[^A-Za-z0-9.-]", "hostname-char-replacement" is empty (default), and "ddns-qualifying-suffix" is set to a non-empty string (deviating from its default empty value). Under these conditions, a remote DHCP client can send specially crafted DHCP option content that causes the kea-dhcp4 process to dereference an out-of-range pointer, leading to an unexpected crash of the DHCP server process. This results in a denial of service (DoS) condition, disrupting DHCP services. The vulnerability does not require DDNS updates to be enabled, nor does it require any authentication or user interaction, making it remotely exploitable over the network with low complexity. The CVSS v3.1 base score is 7.5 (high), reflecting the network attack vector, lack of required privileges, and the impact limited to availability. No known public exploits are reported yet, but the vulnerability poses a significant risk to network availability where ISC Kea DHCP servers are deployed with the vulnerable configurations. ISC Kea is widely used in ISP and enterprise environments for DHCP services, making this vulnerability relevant to critical infrastructure. The absence of patches at the time of reporting necessitates configuration workarounds or monitoring until fixes are released.

The primary impact of CVE-2025-11232 is denial of service due to the kea-dhcp4 process crashing upon receipt of malicious DHCP option content. For European organizations, especially ISPs, data centers, and enterprises relying on ISC Kea for DHCP services, this can lead to network outages, loss of IP address assignment capabilities, and disruption of connected services dependent on DHCP. This can affect business continuity, cause operational downtime, and potentially impact critical services such as VoIP, internal communications, and cloud infrastructure. The vulnerability’s remote exploitability without authentication increases the risk of opportunistic attacks or targeted disruption campaigns. Given the importance of DHCP in network operations, prolonged or repeated exploitation could degrade trust in network reliability and increase operational costs. Additionally, organizations in sectors with stringent uptime requirements (e.g., finance, healthcare, government) may face regulatory and compliance challenges if service interruptions occur. The lack of known exploits currently provides a window for proactive mitigation, but the ease of exploitation and high impact on availability make this a pressing concern.

Until official patches are released by ISC, European organizations should implement the following mitigations: 1) Review and modify the DHCP server configuration to avoid the vulnerable parameter combination by either changing "hostname-char-set" from the default regex or ensuring "ddns-qualifying-suffix" remains empty if feasible; 2) Monitor DHCP server logs and network traffic for anomalous DHCP option content that could indicate exploitation attempts; 3) Employ network-level protections such as DHCP snooping and filtering to restrict DHCP traffic to trusted clients and prevent malicious packets from reaching the server; 4) Implement redundancy and failover mechanisms for DHCP services to minimize impact in case of service crashes; 5) Stay updated with ISC advisories and apply patches promptly once available; 6) Conduct internal vulnerability assessments and penetration testing to verify the absence of the vulnerable configuration and confirm mitigation effectiveness; 7) Educate network administrators about the specific configuration risks and signs of exploitation to enhance detection and response capabilities.