7.5 CVE-2025-11232
To trigger the issue, three configuration parameters must have specific settings: "hostname-char-set" must be left at the default setting, which is "[^A-Za-z0-9.-]"; "hostname-char-replacement" must be empty (the default); and "ddns-qualifying-suffix" must *NOT* be empty (the default is empty). DDNS updates do not need to be enabled for this issue to manifest. A client that sends certain option content would then cause kea-dhcp4 to exit unexpectedly.
This issue affects Kea versions 3.0.1 through 3.0.1 and 3.1.1 through 3.1.2.
https://nvd.nist.gov/vuln/detail/CVE-2025-11232
Categories
CWE-823 : Use of Out-of-range Pointer Offset
The product performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer. This term is narrower than the concept of "out-of-range" offset, since the offset might be the result of a calculation or other error that does not depend on any externally-supplied values. Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) Invalid offset in undocumented opcode leads to memory corruption. Multimedia player uses untrusted value from a file when using file-pointer calculations. Spreadsheet program processes a record with an invalid size field, which is later used as an offset. Instant messaging library does not validate an offset value specified in a packet. Language interpreter does not properly handle invalid offsets in JPEG image, leading to out-of-bounds memory access and crash. negative offset leads to out-of-bounds read untrusted offset in kernel "blind trust" of an offset value while writing heap memory allows corruption of function pointer,leading to code execution negative value (signed) causes pointer miscalculation signed values cause incorrect pointer calculation values used as pointer offsets a return value from a function is sign-extended if the value is signed, then used as an offset for pointer arithmetic portions of a GIF image used as offsets, causing corruption of an object pointer. invalid numeric field leads to a free of arbitrary memory locations, then code execution. large number of elements leads to a free of an arbitrary address array index issue (CWE-129) with negative offset, used to dereference a function pointer "buffer seek" value - basically an offset?
References
af854a3a-2127-422b-91ae-364da2661108
security-officer@isc.org
CPE
| cpe | start | end |
|---|
REMEDIATION
EXPLOITS
Exploit-db.com
| id | description | date | |
|---|---|---|---|
| No known exploits | |||
POC Github
| Url |
|---|
| No known exploits |
Other Nist (github, ...)
| Url |
|---|
| No known exploits |
CAPEC
Common Attack Pattern Enumerations and Classifications
| id | description | severity |
|---|---|---|
| 129 | Pointer Manipulation |
Medium |
Cybersecurity needs ?
Strengthen software security from the outset with our DevSecOps expertise
Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.
