CVE-2025-40779 is a high-severity vulnerability affecting ISC Kea DHCP server versions 2.7.1 through 2.7.9, 3.0.0, and 3.1.0. The issue arises from a NULL pointer dereference (CWE-476) in the kea-dhcp4 process. Specifically, when a DHCPv4 client sends a unicast request containing certain specific options, and Kea fails to locate an appropriate subnet for the client, the kea-dhcp4 process encounters an assertion failure and aborts. This results in a denial of service (DoS) condition, as the DHCP server process crashes and becomes unavailable to service DHCP requests. Notably, this problem does not occur with broadcast DHCP messages, only with unicast requests directly sent to the Kea server. The vulnerability has a CVSS v3.1 base score of 7.5, reflecting its high severity due to network attack vector, no privileges or user interaction required, and a direct impact on availability. There are no known exploits in the wild at the time of publication, and no patches are linked yet. The root cause is a failure to properly handle cases where no matching subnet is found for a client request, leading to dereferencing a NULL pointer and triggering an assertion failure that crashes the process. This vulnerability could be exploited by an unauthenticated attacker capable of sending crafted unicast DHCPv4 requests to the Kea server, causing service disruption by crashing the DHCP server process.

For European organizations relying on ISC Kea DHCP servers, this vulnerability poses a significant risk of denial of service. DHCP is a critical network service responsible for dynamically assigning IP addresses and network configuration to clients. A crash of the kea-dhcp4 process can disrupt network connectivity for clients, potentially causing widespread outages in enterprise, government, or service provider networks. This can impact business operations, especially in environments with high DHCP dependency such as large corporate LANs, data centers, and managed service providers. The ease of exploitation—no authentication or user interaction required—and the network attack vector mean attackers can remotely trigger the crash simply by sending crafted DHCPv4 unicast requests. Although no known exploits exist yet, the vulnerability could be leveraged in targeted attacks or automated scanning campaigns. The impact on confidentiality and integrity is minimal, but the availability impact is high, potentially leading to network downtime and operational disruption. Organizations with critical infrastructure or services relying on Kea DHCP servers should prioritize mitigation to maintain network stability.

Organizations should immediately audit their DHCP infrastructure to identify any ISC Kea DHCP servers running affected versions (2.7.1 through 2.7.9, 3.0.0, and 3.1.0). Until patches are available, network-level mitigations should be implemented: restrict access to DHCP servers to trusted network segments and block untrusted sources from sending unicast DHCPv4 requests to the server. Deploy network intrusion detection/prevention systems (IDS/IPS) with custom signatures to detect and block malformed DHCPv4 requests that could trigger the crash. Monitor DHCP server logs and system stability closely for signs of crashes or unusual requests. Consider deploying redundant DHCP servers or failover mechanisms to maintain service availability in case of crashes. Once ISC releases patches addressing this vulnerability, apply them promptly. Additionally, engage with ISC support or community channels to obtain any available workarounds or interim fixes. Finally, review DHCP server configuration to ensure proper subnet definitions and validation to reduce the likelihood of unhandled client requests.