Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Kea update fixes JSON parsing error and crashes
SUSE-SU-2026:1378-1
Summary
Update your Kea software to fix potential crashes and security issues that could allow attackers to cause system crashes or denial-of-service attacks. This update also adds support for newer versions of Sphinx and improves logging configuration. Apply the update to ensure your system remains secure and stable.
What to do
- Update kea to version 2.6.5-150700.3.6.1.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| SUSE:Linux Enterprise Module for Basesystem 15 SP7 | – | kea |
< 2.6.5-150700.3.6.1 Fix: upgrade to 2.6.5-150700.3.6.1
|
| SUSE:Linux Enterprise Module for Server Applications 15 SP7 | – | kea |
< 2.6.5-150700.3.6.1 Fix: upgrade to 2.6.5-150700.3.6.1
|
Original title
Security update for kea
Original description
This update for kea fixes the following issues:
Update to release 2.6.5:
* A large number of bracket pairs in a JSON payload directed to
any endpoint would result in a stack overflow, due to recursive
calls when parsing the JSON. This has been fixed.
(CVE-2026-3608)
[bsc#1260380]
* A null dereference is now no longer possible when configuring
the Control Agent with a socket that lacks the mandatory
socket-name entry.
* UNIX sockets are now created as group-writable.
* Corrected an issue in logging configuration when parsing
'syslog:'
* Earlier Kea versions could crash when handling misconfigured
global reservations. This has been fixed.
* Support for recent versions of Sphinx has been added.
Update to release 2.6.5:
* A large number of bracket pairs in a JSON payload directed to
any endpoint would result in a stack overflow, due to recursive
calls when parsing the JSON. This has been fixed.
(CVE-2026-3608)
[bsc#1260380]
* A null dereference is now no longer possible when configuring
the Control Agent with a socket that lacks the mandatory
socket-name entry.
* UNIX sockets are now created as group-writable.
* Corrected an issue in logging configuration when parsing
'syslog:'
* Earlier Kea versions could crash when handling misconfigured
global reservations. This has been fixed.
* Support for recent versions of Sphinx has been added.
- https://www.suse.com/support/update/announcement/2026/suse-su-20261378-1/ Vendor Advisory
- https://bugzilla.suse.com/1260380 Third Party Advisory
- https://www.suse.com/security/cve/CVE-2026-3608 URL
Published: 16 Apr 2026 · Updated: 17 Apr 2026 · First seen: 17 Apr 2026