CVE-2025-40779 is a vulnerability classified as CWE-476 (NULL Pointer Dereference) affecting ISC Kea DHCP server versions 2.7.1 through 2.7.9, 3.0.0, and 3.1.0. The flaw occurs when a DHCPv4 client sends a unicast request containing specific DHCP options, and the Kea server fails to locate an appropriate subnet for the client. Under these conditions, the kea-dhcp4 process encounters an assertion failure due to dereferencing a NULL pointer, causing the process to abort unexpectedly. This results in a denial of service (DoS) as the DHCP server process crashes and stops responding to DHCP requests. The vulnerability is triggered only by unicast DHCP requests; broadcast requests do not cause this failure. The CVSS v3.1 score is 7.5, indicating high severity, with an attack vector of network (remote), low attack complexity, no privileges required, no user interaction, and impact limited to availability (no confidentiality or integrity impact). No patches or exploits are currently publicly available, but the vulnerability poses a risk to network stability and availability. The issue is particularly critical for environments where DHCP services are essential for IP address management and network connectivity. Attackers can remotely cause service disruption without authentication, making this a significant threat to network infrastructure.

The primary impact of CVE-2025-40779 is a denial of service condition on DHCP services provided by ISC Kea. For European organizations, this can lead to network outages or degraded network performance as DHCP clients fail to obtain or renew IP addresses. Critical infrastructure, enterprises, and service providers relying on Kea for dynamic IP allocation may experience operational disruptions, affecting business continuity and user productivity. The inability to assign IP addresses can cascade into broader network failures, impacting internal communications, access to cloud services, and internet connectivity. Since the vulnerability can be triggered remotely without authentication, it increases the risk of targeted or opportunistic attacks against network infrastructure. The lack of confidentiality or integrity impact reduces the risk of data breaches, but the availability impact alone can have severe consequences, especially in sectors like finance, healthcare, telecommunications, and government services where network uptime is crucial.

1. Upgrade ISC Kea DHCP server to a patched version once the vendor releases a fix addressing CVE-2025-40779. Monitor ISC advisories and security bulletins for updates. 2. Implement network-level filtering to restrict unicast DHCP requests to trusted clients only, using firewall rules or DHCP relay configurations to limit exposure. 3. Monitor DHCP server logs and system stability to detect abnormal crashes or assertion failures indicative of exploitation attempts. 4. Deploy redundancy and failover mechanisms for DHCP services to maintain availability in case of process crashes. 5. Conduct regular security assessments and penetration testing focusing on DHCP infrastructure to identify potential weaknesses. 6. Educate network administrators about this vulnerability and ensure incident response plans include DHCP service disruptions. 7. Consider isolating DHCP servers in dedicated network segments to reduce attack surface and limit impact scope.