Critical Kea DHCP Server Vulnerability Exposes Networks to DoS Attacks The Internet Systems Consortium (ISC) has issued a high-severity security advisory for a stack overflow vulnerability (CVE-2026-3608) in its Kea DHCP server software, a widely used solution for IP address management in enterprise and ISP networks. Disclosed on March 25, 2026, the flaw carries a CVSS score of 7.5 and could allow unauthenticated remote attackers to crash critical network services, leading to a complete denial-of-service (DoS). The vulnerability stems from improper handling of maliciously crafted messages sent via API sockets or High Availability (HA) listeners, triggering a stack overflow in multiple Kea daemons. Affected components include the control agent (kea-ctrl-agent), dynamic DNS updater (kea-dhcp-ddns), and both IPv4/IPv6 services (kea-dhcp4/kea-dhcp6). Exploitation results in an immediate DHCP service outage, preventing new devices from joining the network and disrupting lease renewals for existing clients. Impacted versions include Kea 2.6.0–2.6.4 and 3.0.0–3.0.2. The flaw was discovered and reported by Ali Norouzi of Keysight. While no active exploits have been observed, the ISC urges administrators to upgrade to patched versions 2.6.5 or 3.0.3 immediately. For those unable to patch, securing API sockets with TLS mutual authentication (via `cert-required: true`) can mitigate the risk by blocking unauthenticated connections.

Critical BIND 9 Vulnerability (CVE-2025-13878) Enables Remote DNS Server Crashes The Internet Systems Consortium (ISC) has disclosed a high-severity vulnerability in BIND 9, tracked as CVE-2025-13878, that allows remote attackers to crash DNS servers by sending malformed BRID (Boundary Router Identifier) and HHIT (Host Identity Tag) records. The flaw causes the named daemon to terminate unexpectedly, resulting in a denial-of-service (DoS) condition. The vulnerability affects multiple BIND 9 release branches, including stable, development, and preview editions. Exploitation requires no authentication or special privileges, making it accessible to any attacker with network access. Both authoritative DNS servers and recursive resolvers are impacted, broadening the potential attack surface. ### Affected Versions & Patches The following BIND 9 versions are vulnerable, with patched releases available: | BIND Edition | Vulnerable Versions | Patched Version | |------------------------|---------------------------------------|----------------------| | BIND 9 Stable | 9.18.40 – 9.18.43 | 9.18.44 | | BIND 9 Stable | 9.20.13 – 9.20.17 | 9.20.18 | | BIND 9 Development | 9.21.12 – 9.21.16 | 9.21.17 | | BIND 9 Preview | 9.18.40-S1 – 9.18.43-S1 | 9.18.44-S1 | | BIND 9 Preview | 9.20.13-S1 – 9.20.17-S1 | 9.20.18-S1 | ### Technical Details - CVE ID: CVE-2025-13878 - Severity: High (CVSS 7.5) - Attack Vector: Network/Remote (no authentication required) - Impact: Availability (DoS), no confidentiality or integrity risks - Disclosure Date: January 21, 2026 The vulnerability was discovered by Vlatko Kosturjak of Marlink Cyber and responsibly disclosed to ISC. While no active exploits have been observed, the ease of exploitation and BIND’s widespread use make this a critical patching priority. ISC has released fixes, and no workarounds exist affected systems must be upgraded immediately.

A critical DNS cache poisoning vulnerability (CVE-2025-40778, CVSS 8.6) was disclosed in BIND 9, the widely used DNS resolver software maintained by ISC. The flaw, stemming from improper handling of unsolicited DNS resource records, allows off-path attackers to inject forged entries into DNS caches without direct network access. Over 706,000 exposed BIND 9 instances worldwide are affected, including versions 9.11.0–9.16.50, 9.18.0–9.18.39, 9.20.0–9.20.13, and 9.21.0–9.21.12. While no active exploitation has been reported, a public proof-of-concept exploit on GitHub escalates risks, enabling attackers to redirect traffic to malicious destinations, facilitating phishing, data interception, or service disruptions. Poisoned caches could misroute clients for extended periods (hours/days), depending on TTL values. ISC urges immediate patching to versions 9.18.41, 9.20.15, or 9.21.14+, alongside mitigations like DNSSEC validation, recursion restrictions, and cache monitoring. Unpatched systems—especially high-traffic resolvers used by enterprises, ISPs, and governments—face severe exposure, risking widespread internet infrastructure compromise.