CVE-2025-32801

NameCVE-2025-32801
DescriptionKea configuration and API directives can be used to load a malicious hook library. Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the control sockets in insecure paths. This issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1106737

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
isc-kea (PTS)bookworm2.2.0-6vulnerable
trixie, sid2.6.3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
isc-keasource(unstable)2.6.3-11106737

Notes

https://kb.isc.org/docs/cve-2025-32801
https://www.openwall.com/lists/oss-security/2025/05/28/8
Search for package or bug name: Reporting problems