Overview
This report addresses a significant vulnerability, CVE-2025-40779, found in the Kea DHCP server. If a DHCPv4 client sends a request containing specific options and Kea fails to find an appropriate subnet for the client, the `kea-dhcp4` process could abort, causing a system failure. This vulnerability affects multiple versions of Kea, and if exploited, could potentially lead to a system compromise or data leakage.
Vulnerability Summary
CVE ID: CVE-2025-40779
Severity: High (7.5 CVSS Score)
Attack Vector: DHCPv4 Client Request
Privileges Required: None
User Interaction: None
Impact: System compromise, data leakage
Affected Products
A new way to communicate
Ameeba Chat is built on encrypted identity, not personal profiles.
Message, call, share files, and coordinate with identities kept separate.
- • Encrypted identity
- • Ameeba Chat authenticates access
- • Aliases and categories
- • End-to-end encrypted chat, calls, and files
- • Secure notes for sensitive information
Private communication, rethought.
Product | Affected Versions
Kea | 2.7.1 – 2.7.9
Kea | 3.0.0
Kea | 3.1.0
How the Exploit Works
The exploit works when a DHCPv4 client sends a request with specific options to the Kea server. If Kea fails to find an appropriate subnet for the client, the `kea-dhcp4` process aborts due to an assertion failure. This vulnerability only affects if the client request is unicast directly to Kea; broadcast messages are not impacted by this issue.
Conceptual Example Code
The vulnerability can be potentially exploited by sending a malformed DHCPv4 client request to the Kea server, as illustrated in the conceptual pseudo-code below:
DHCPv4_Request {
HOST: Kea_Server_IP
Specific_Options: Malicious_payload
Request_Type: Unicast
}In this pseudo-code, a DHCPv4 request is sent to the Kea server with malicious payload placed within the specific options. This can trigger a failure in the `kea-dhcp4` process if Kea cannot find an appropriate subnet for the client.