CVE-2019-6474

high

Published — · Modified —

CVSS v3

—

CVSS v2

—

VIR risk

8.0

Description

A missing check on incoming client requests can be exploited to cause a situation where the Kea server's lease storage contains leases which are rejected as invalid when the server tries to load leases from storage on restart. If the number of such leases exceeds a hard-coded limit in the Kea code, a server trying to restart will conclude that there is a problem with its lease store and give up. Versions affected: 1.4.0 to 1.5.0, 1.6.0-beta1, and 1.6.0-beta2

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2019-6474

OS impact

OS	Version	Status	Fixed in
arch		fixed	`1.8.0-1`
debian	bookworm	fixed	`1.7.5-1`
debian	forky	fixed	`1.7.5-1`
debian	sid	fixed	`1.7.5-1`
debian	trixie	fixed	`1.7.5-1`

References

https://security-tracker.debian.org/tracker/CVE-2019-6474

Verify integrity in audit chain (admin only). AS-IS.