2407178 – (CVE-2025-11232) CVE-2025-11232 kea: Invalid characters cause assert

Bug 2407178 (CVE-2025-11232) - CVE-2025-11232 kea: Invalid characters cause assert

Summary: CVE-2025-11232 kea: Invalid characters cause assert

Keywords:
Status:	NEW
Alias:	CVE-2025-11232
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2407228 2407229
Blocks:
TreeView+	depends on / blocked

Reported:	2025-10-29 19:01 UTC by OSIDB Bzimport
Modified:	2025-10-29 20:41 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-10-29 19:01:50 UTC

To trigger the issue, three configuration parameters must have specific settings: "hostname-char-set" must be left at the default setting, which is "[^A-Za-z0-9.-]"; "hostname-char-replacement" must be empty (the default); and "ddns-qualifying-suffix" must *NOT* be empty (the default is empty). DDNS updates do not need to be enabled for this issue to manifest. A client that sends certain option content would then cause kea-dhcp4 to exit unexpectedly.
This issue affects Kea versions 3.0.1 through 3.0.1 and 3.1.1 through 3.1.2.

Note You need to log in before you can comment on or make changes to this bug.