CVE-2018-5739

MEDIUM

Kea 1.4 - Memory Corruption

Title source: llm

Description

An extension to hooks capabilities which debuted in Kea 1.4.0 introduced a memory leak for operators who are using certain hooks library facilities. In order to support multiple requests simultaneously, Kea 1.4 added a callout handle store but unfortunately the initial implementation of this store does not properly free memory in every case. Hooks which make use of query4 or query6 parameters in their callouts can leak memory, resulting in the eventual exhaustion of available memory and subsequent failure of the server process. Affects Kea DHCP 1.4.0.

References (1)

[Vendor Advisory] https://kb.isc.org/docs/aa-01626

Scores

CVSS v3 6.5

EPSS 0.0327

EPSS Percentile 87.0%

Attack Vector ADJACENT_NETWORK

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-772

Status published

Affected Products (1)

isc/kea

Timeline

Published Jan 16, 2019

Tracked Since Feb 18, 2026