RE: ISC has disclosed three vulnerabilities in Kea (CVE-2025-32801, CVE-2025-32802, CVE-2025-32803)

[Jounee Kim <Jokim () bn com>]

UNSUBSCRIBE


From: Andrei Pavel <andrei () isc org>
Sent: Wednesday, May 28, 2025 12:34 PM
To: oss-security () lists openwall com
Cc: security-officer () isc org
Subject: [oss-security] ISC has disclosed three vulnerabilities in Kea (CVE-2025-32801, CVE-2025-32802, CVE-2025-32803)

On 28 May 2025 we (Internet Systems Consortium) disclosed three vulnerabilities affecting our Kea software: - 
CVE-2025-32801:        Loading a malicious hook library can lead to local privilege escalation https: //kb. isc. 
org/docs/cve-2025-32801
ZjQcmQRYFpfptBannerStart
This Message Is From an Untrusted Sender
You have not previously corresponded with this sender.
    Report Suspicious  
<https://us-phishalarm-ewt.proofpoint.com/EWT/v1/CnbCE_LObTUL5LY!IfMr12grbHCMGIeYwb5C_RtYoOgfehO26TI0in2gmuaj2ZsS-Cc02EGYKPtCDZ809tra1TsFS_W0eMGQScNcg8JV$>
   ‌
ZjQcmQRYFpfptBannerEnd

On 28 May 2025 we (Internet Systems Consortium) disclosed three

vulnerabilities affecting our Kea software:



- CVE-2025-32801:       Loading a malicious hook library can lead to

local privilege escalation https://kb.isc.org/docs/cve-2025-32801

- CVE-2025-32802:       Insecure handling of file paths allows multiple

local attacks https://kb.isc.org/docs/cve-2025-32802

- CVE-2025-32803:       Insecure file permissions can result in

confidential information leakage https://kb.isc.org/docs/cve-2025-32803



New versions of Kea are available from https://www.isc.org/downloads



- https://downloads.isc.org/isc/kea/2.4.2/

- https://downloads.isc.org/isc/kea/2.6.3/

- https://downloads.isc.org/isc/kea/2.7.9/



With the public announcement of these vulnerabilities, the embargo

period is ended and any updated software packages that have been

prepared may be released.