US-CERT issued a security advisory, rated medium, for Kea DHCP version 1.4.0 that could cause memory leakage resulting in the failure of memory locations and a server crash.
The flaw, CVE-2018-5739, takes advantage of a previous issue where callout handle store added during an earlier update did not always properly free memory resulting in the eventual exhaustion of available memory and failure of the server. Essentially, if too many requests are sent the server will consume all system memory or, if a per-process memory limit is set, will hit that limit, after which point further memory allocations will fail and the Kea server will crash.
Kea is an open-source DHCP server developed by the Internet Systems Consortium (ISC).
US CERT noted this vulnerability is not being actively exploited, but the problem is such that even without an outside actor attacking a system with extra traffic, the memory allocation of the server will grow over time eventually causing a memory issue.
ISC recommends upgrading to Kea 1.4.0-P1.
