# Kea 3.0.3 Vulnerability Release Notes, March 25, 2026 Welcome to Kea 3.0.3, a vulnerability release of the stable 3.0 series. This supersedes the previous release, version 3.0.2. Kea is a DHCP implementation developed by Internet Systems Consortium (ISC) that features DHCPv4 and DHCPv6 servers with DNS update and a REST API; optional database support (MySQL/MariaDB and PostgreSQL); optional RADIUS, Kerberos, YANG/NETCONF, and GSS-TSIG support; and much more. Kea provides extensive management capabilities, including but not limited to: TLS support, Role-Based Access Control, run-time configuration monitoring and updates via a REST API, host reservations, and client classification. The text below references issue numbers. For more details, visit the Kea GitLab page at https://gitlab.isc.org/isc-projects/kea/-/issues. For details about Docker issues, visit the page at https://gitlab.isc.org/isc-projects/kea-docker/-/issues/. For details about packaging, visit the page at https://gitlab.isc.org/isc-projects/kea-packaging/-/issues/. The following changes and bug fixes have been implemented since the previous release: 1. **Vulnerability**: We addressed an issue, which was assigned CVE-2026-3608, where a large number of bracket pairs in a JSON payload directed to any endpoint would result in a stack overflow, due to recursive calls when parsing the JSON [#4275, #4288, #4387]. Since the exploit does not require the JSON request to have the full syntax of a valid command, it bypasses RBAC and the command filters on the High-Availability endpoints. 2. **Security**: A null dereference is now no longer possible when configuring the Control Agent with a socket that lacks the mandatory socket-name entry [#4388, #4365]. 3. **Permissions**: UNIX sockets are now created as group-writable [#4398, #4260]. This allows users belonging to the group to send commands to the UNIX sockets. In particular, it allows Stork 2.4.0 and above to detect the Kea daemon. ## Incompatible Changes There are no incompatible changes. ## Known Issues There are no significant known issues. ## Packaging There are no packaging changes. ## Acknowledgments ISC would like to thank Ali Norouzi from Keysight for bringing the issue in CVE-2026-3608 to our attention. ## License This version of Kea is released under the Mozilla Public License, version 2.0. https://www.mozilla.org/en-US/MPL/2.0 Some Kea hook libraries are provided under the MPL 2.0; others are licensed with the [Kea Hooks Basic Commercial End User License](https://www.isc.org/kea-premium-license/). The source for each hook library includes the applicable license. ## Download Pre-built ISC packages for current versions of the most popular Linux operating systems are available at: https://cloudsmith.io/~isc/repos/ Pre-built Docker images as well as Docker files are available. For details, see: https://gitlab.isc.org/isc-projects/kea-docker The Kea source and PGP signature for this release may be downloaded from: https://www.isc.org/download The signature was generated with the ISC code-signing key, which is available at: https://www.isc.org/pgpkey ISC provides detailed documentation, including installation instructions and usage tutorials, in the Kea Administrator Reference Manual. Documentation is included with the installation or at https://kea.readthedocs.io/en/latest/index.html in HTML, PDF, or EPUB formats. ISC maintains a public open source code tree, wiki, issue tracking system, milestone planner, and roadmap at https://gitlab.isc.org/isc-projects/kea. Limitations and known issues with this release can be found at https://gitlab.isc.org/isc-projects/kea/-/wikis/known-issues-list. We ask users of this software to please let us know how it worked for you and what operating system you tested on. Feel free to share your feedback on the Kea Users mailing list (https://lists.isc.org/mailman/listinfo/kea-users). We would also like to hear whether the documentation is adequate and accurate. Please open tickets in the Kea GitLab project for bugs, documentation omissions and errors, and enhancement requests. We want to hear from you even if everything worked. ## Support Professional support for Kea is available from ISC. We encourage all professional users to consider this option; Kea maintenance is funded with support subscriptions. For more information on ISC's Kea software support, see https://www.isc.org/support/. Free best-effort support is provided by our user community via a mailing list. Information on all public email lists is available at https://www.isc.org/community/mailing-list. If you have any comments or questions about working with Kea, please share them to the Kea Users list (https://lists.isc.org/mailman/listinfo/kea-users). Bugs and feature requests may be submitted via GitLab at https://gitlab.isc.org/isc-projects/kea/-/issues. ## Changes The following summarizes the changes since the previous release: 2388. [build] razvan The library version numbers have been bumped up for the Kea 3.0.3 stable release. (Gitlab #4402) 2387. [sec] razvan Fix a null dereference when configuring the control agent with a control socket that lacks a socket-name entry. (Gitlab #4388, #4365) 2386. [sec] razvan Restrict number of recursive calls when parsing config. CVE:2026-3608 (Gitlab #4387, #4275, #4288) 2385. [func] fdupont Create UNIX sockets as group writable so a tool is allowed to connect to them as soon as it is run by a member of the group (vs. requiring to be run by the owner). Note to disallow this the group execute permission can be removed from the socket parent directory. (Gitlab #4398, #4260) Thank you again to everyone who assisted us in making this release possible. We look forward to receiving your feedback.