CVE-2026-3608 is a vulnerability classified under CWE-617 (Reachable Assertion) affecting ISC Kea DHCP server software versions 2.6.0 through 2.6.4 and 3.0.0 through 3.0.2. The flaw arises when a specially crafted message is sent to one of the Kea daemons—kea-ctrl-agent, kea-dhcp-ddns, kea-dhcp4, or kea-dhcp6—via any configured API socket or high-availability (HA) listener. This crafted input triggers a reachable assertion failure, which leads to a stack overflow condition causing the daemon process to exit unexpectedly. The vulnerability does not require any privileges or user interaction, making it remotely exploitable over the network. The stack overflow results in a denial-of-service (DoS) condition by crashing the DHCP service, which can disrupt IP address allocation and network connectivity for clients relying on the affected DHCP servers. ISC Kea is an open-source DHCP server widely used in enterprise and ISP environments for dynamic IP address management. The vulnerability affects multiple components of Kea, increasing the attack surface. Although no public exploits have been reported, the CVSS v3.1 score of 7.5 (high) reflects the ease of exploitation and significant impact on service availability. No patches or mitigations are listed in the provided data, indicating that organizations must monitor ISC advisories for updates.

The primary impact of CVE-2026-3608 is denial of service due to the crashing of critical DHCP server components. DHCP servers are essential for automatic IP address assignment and network configuration; their disruption can lead to widespread network outages, loss of connectivity for end-users and devices, and potential cascading failures in dependent services. In large enterprise or ISP environments, this can affect thousands or millions of devices, causing operational downtime and service degradation. Since the vulnerability can be triggered remotely without authentication, attackers can exploit it to disrupt network operations at scale. Although confidentiality and integrity are not directly impacted, the availability impact alone can have severe operational and financial consequences. Organizations relying on ISC Kea for DHCP services must consider this a high-risk issue, especially those with critical infrastructure or large-scale deployments.

Organizations should immediately inventory their ISC Kea deployments to identify affected versions (2.6.0 through 2.6.4 and 3.0.0 through 3.0.2). Until patches are available, consider the following mitigations: 1) Restrict network access to Kea API sockets and HA listeners using firewall rules or network segmentation to limit exposure to trusted management hosts only. 2) Monitor network traffic for anomalous or malformed messages targeting Kea daemons to detect potential exploitation attempts. 3) Implement rate limiting or connection throttling on API sockets to reduce the risk of DoS attacks. 4) Deploy redundant DHCP servers with failover capabilities to maintain service availability if one instance crashes. 5) Stay updated with ISC security advisories and apply patches promptly once released. 6) Consider upgrading to unaffected versions or alternative DHCP solutions if immediate patching is not feasible. 7) Conduct regular backups of DHCP configurations to enable rapid recovery after an incident.