CVE-2019-6474

MEDIUM

ISC Kea < 1.5.0 - Resource Leak

Title source: rule

Description

A missing check on incoming client requests can be exploited to cause a situation where the Kea server's lease storage contains leases which are rejected as invalid when the server tries to load leases from storage on restart. If the number of such leases exceeds a hard-coded limit in the Kea code, a server trying to restart will conclude that there is a problem with its lease store and give up. Versions affected: 1.4.0 to 1.5.0, 1.6.0-beta1, and 1.6.0-beta2

References (1)

[Vendor Advisory] https://kb.isc.org/docs/cve-2019-6474

Scores

CVSS v3 5.7

EPSS 0.0159

EPSS Percentile 81.8%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Details

CWE

CWE-772

Status published

Products (2)

isc/kea 1.6.0 beta1 (2 CPE variants)

isc/kea 1.4.0 - 1.5.0

Published Oct 16, 2019

Tracked Since Feb 18, 2026