CVE-2018-5739
CVE-2018-5739 is a medium-severity vulnerability in Isc Kea with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-772.
Key facts
- Severity: Medium (CVSS 3.x base score 6.5)
- CVSS v2: 5.0
- EPSS exploit prediction: 2% (77th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-772
- Affected product: Isc Kea
- Published:
- Last modified:
Description
An extension to hooks capabilities which debuted in Kea 1.4.0 introduced a memory leak for operators who are using certain hooks library facilities. In order to support multiple requests simultaneously, Kea 1.4 added a callout handle store but unfortunately the initial implementation of this store does not properly free memory in every case. Hooks which make use of query4 or query6 parameters in their callouts can leak memory, resulting in the eventual exhaustion of available memory and subsequent failure of the server process. Affects Kea DHCP 1.4.0.
Frequently asked questions
- What is CVE-2018-5739?
- An extension to hooks capabilities which debuted in Kea 1.4.0 introduced a memory leak for operators who are using certain hooks library facilities. In order to support multiple requests simultaneously, Kea 1.4 added a callout handle store but unfortunately the initial implementation of this store does not properly free memory in every case. Hooks which make use of query4 or query6 parameters in their callouts can leak memory, resulting in the eventual exhaustion of available memory and subsequent failure of the server process. Affects Kea DHCP 1.4.0.
- How severe is CVE-2018-5739?
- CVE-2018-5739 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over an adjacent network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
- Is CVE-2018-5739 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 2% (77th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2018-5739?
- CVE-2018-5739 affects Isc Kea. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2018-5739?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2018-5739 published?
- CVE-2018-5739 was published on 2019-01-16 and last updated on 2026-06-17.
References
Affected products (1)
- cpe:2.3:a:isc:kea:1.4.0:*:*:*:*:*:*:*
More vulnerabilities in Isc Kea
- CVE-2015-8373 — Medium (CVSS 6.8): The kea-dhcp4 and kea-dhcp6 servers 0.9.2 and 1.0.0-beta in ISC Kea, when certain debugging settings are used, allow…
- CVE-2019-6472 — Medium (CVSS 6.5): A packet containing a malformed DUID can cause the Kea DHCPv6 server process (kea-dhcp6) to exit due to an assertion…
- CVE-2019-6474 — Medium (CVSS 5.7): A missing check on incoming client requests can be exploited to cause a situation where the Kea server's lease storage…
Other CWE-772 vulnerabilities
- CVE-2020-12134 — Critical (CVSS 9.8): Nanometrics Centaur through 4.3.23 and TitanSMA through 4.2.20 mishandle access control for the syslog log.
- CVE-2017-15032 — Critical (CVSS 9.8): ImageMagick version 7.0.7-2 contains a memory leak in ReadYCBCRImage in coders/ycbcr.c.
- CVE-2017-14138 — Critical (CVSS 9.8): ImageMagick 7.0.6-5 has a memory leak vulnerability in ReadWEBPImage in coders/webp.c because memory is not freed in…
- CVE-2017-11641 — Critical (CVSS 9.8): GraphicsMagick 1.3.26 has a Memory Leak in the PersistCache function in magick/pixel_cache.c during writing of Magick…
- CVE-2020-14339 — High (CVSS 8.8): A flaw was found in libvirt, where it leaked a file descriptor for `/dev/mapper/control` into the QEMU process. This…
- CVE-2018-19760 — High (CVSS 8.8): cfg_init in confuse.c in libConfuse 3.2.2 has a memory leak.