Silent Crashes, Hidden Blackholes: Critical Junos OS Vulnerabilities Threaten Network Stability

Aegiron 9 mins0

Multiple Vulnerabilities in Junos OS and Junos OS Evolved

Product Details

Vendor: Juniper Networks
Operating Systems: Junos OS, Junos OS Evolved
Affected Platforms:
SRX Series, MX Series, MX10K, EX Series, EX4000, EX4K, QFX5K, Junos Space

These vulnerabilities affect core networking components, including control-plane daemons, forwarding engines, authentication services, and management interfaces. Most are network-reachable, frequently unauthenticated, and primarily cause denial-of-service, with select memory-corruption issues presenting potential remote code execution risk.

Executive Summary

A coordinated set of vulnerabilities across Junos OS exposes network infrastructure devices to traffic disruption, control-plane instability, authentication failures, and potential privilege escalation.

While many issues result in crashes or resource exhaustion, several memory-safety flaws (double-free, use-after-free, stack overflow) are high-risk and potentially exploitable. Because exploitation traffic can resemble malformed or edge-case network packets, detection is non-trivial and requires behavioral monitoring rather than signature-based alerts alone.

CVE Overview Table

CVE IDComponentVulnerability TypeAttack VectorAuth RequiredImpactAffected Platforms
CVE-2026-21921chassisdUse-After-FreeNetworkLow-privControl plane crashSRX, MX, EX
CVE-2026-21920DNS ModuleUnchecked return valueNetworkNoneDoSSRX
CVE-2026-21918flowdDouble FreeNetworkNoneDoS / Potential RCESRX, MX
CVE-2026-21917Web FilteringImproper input validationNetworkNoneDoSSRX
CVE-2026-21914GTP PluginImproper lockingNetworkNoneDoSSRX
CVE-2026-21913Internal Device ManagerIncorrect resource initializationNetworkNoneDoSEX4000
CVE-2026-21912Firmware statsTOCTOU race conditionLocal CLILow-privLine card resetMX10K
CVE-2026-21911l2cpdIncorrect calculationNetwork-adjacentNoneHigh CPU / DoSJunos OS Evolved
CVE-2026-21910PFEImproper exception handlingNetwork-adjacentNoneTraffic blackholeEX4K, QFX5K
CVE-2026-21909rpdMemory leakNetwork-adjacentNoneProcess crashMX, SRX
CVE-2026-21908dot1xdUse-After-FreeNetwork-adjacentAuthenticatedDoS / Potential RCEJunos OS / Evolved
CVE-2026-21907TLS ServerWeak cryptographyNetworkNoneTraffic decryptionJunos Space
CVE-2026-21906PFE (GRE)Improper exception handlingNetworkNonePFE crashSRX
CVE-2026-21905SIP ALGInfinite loopNetworkNoneFlow daemon crashSRX, MX
CVE-2026-21903PFEStack buffer overflowNetworkLow-privDoSJunos OS
CVE-2026-0203Packet processingImproper exception handlingNetwork-adjacentNoneFPC crashJunos OS

Detailed CVE Technical Analysis

CVE-2026-21918 — flowd Double Free (Critical)

What’s happening

Improper memory cleanup allows the same pointer to be freed twice during malformed flow processing. This corrupts heap metadata inside the flow daemon.

How it can be exploited

An attacker sends specially crafted packets that manipulate flow teardown paths. Repeated triggers reliably crash flowd; in carefully timed scenarios, reused heap memory may allow remote code execution.

Impact

  • Flow daemon crash
  • Firewall traffic disruption
  • Possible arbitrary code execution

MITRE ATT&CK

  • T1068 – Exploitation for Privilege Escalation
  • T1203 – Exploitation for Client Execution

Detection

  • Repeated flowd restarts
  • Heap corruption or malloc/free errors
  • Sudden drop in active sessions

Log Sources

  • /var/log/messages
  • Flow daemon crash dumps
  • Core file generation logs

Network Indicators

  • Malformed TCP/UDP session teardown packets
  • Abnormal FIN/RST sequencing

CVE-2026-21908 — dot1xd Use-After-Free (Critical)

What’s happening

A freed authentication object is reused during 802.1X state transitions.

How it can be exploited

An authenticated user rapidly renegotiates EAP sessions, forcing reuse of invalid memory references.

Impact

  • Authentication service crash
  • Potential root-level code execution
  • Loss of network access control

MITRE ATT&CK

  • T1078 – Valid Accounts
  • T1068 – Privilege Escalation

Detection

  • dot1xd segmentation faults
  • Authentication loops
  • Interface authentication flapping

Log Sources

  • Authentication logs
  • dot1xd debug output
  • Syslog authentication facility

CVE-2026-21910 — PFE Exceptional Handling Failure

What’s happening

Unexpected packet conditions are not properly handled inside forwarding microcode.

How it can be exploited

Malformed L2/L3 packets cause forwarding logic to fail, leading to a silent traffic blackhole.

Impact

  • Data plane outage
  • No control-plane visibility
  • Requires reboot to recover

MITRE ATT&CK

  • T1499 – Endpoint Denial of Service

Detection

  • Traffic loss with healthy control plane
  • PFE watchdog alerts
  • Interface counters frozen

Log Sources

  • PFE syslogs
  • Line card health logs
  • Hardware monitoring logs

CVE-2026-21907 — TLS Weak Cryptography

What’s happening

TLS services accept deprecated cryptographic parameters.

How it can be exploited

An attacker downgrades TLS sessions and passively decrypts traffic.

Impact

  • Confidential data exposure
  • Credential interception

MITRE ATT&CK

  • T1040 – Network Sniffing
  • T1557 – Man-in-the-Middle

Detection

  • TLS handshake downgrade events
  • Use of weak cipher suites

Log Sources

  • TLS negotiation logs
  • Management plane audit logs

CVE-2026-21921 — chassisd Use-After-Free

What’s happening

Improper object lifecycle handling during chassis operations.

How it can be exploited

Low-privileged users trigger repeated hardware queries, causing daemon crashes.

Impact

  • Control-plane reset
  • Line-card instability

MITRE ATT&CK

  • T1499 – Denial of Service

Remaining CVEs (Pattern Summary)

The remaining CVEs follow DoS-centric exploitation patterns, including:

  • Malformed packet handling
  • Race conditions (TOCTOU)
  • Improper locking
  • Infinite loops
  • Incorrect boundary calculations

These issues primarily lead to daemon crashes, CPU exhaustion, forwarding failures, or hardware resets.

Detection & Monitoring Strategy

Recommended Telemetry

  • Control-plane daemon crash frequency
  • PFE watchdog resets
  • CPU spikes without configuration changes
  • Repeated protocol renegotiation events

SIEM Rules (Conceptual)

  • Alert on >3 daemon restarts within 10 minutes
  • Detect malformed packet bursts with invalid headers
  • Flag TLS downgrade attempts

Log Sources to Collect

  • /var/log/messages
  • PFE hardware logs
  • Authentication & access logs
  • Core dump events

Detection Rules

Memory Corruption

IF daemon restarts > 3 within 10 minutes
AND daemon IN (flowd, dot1xd, chassisd, rpd)
THEN alert "Memory Corruption Exploitation Attempt"

PFE Failure

IF traffic drops abruptly
AND control plane healthy
AND PFE errors detected
THEN alert "PFE Exception Handling Failure"

CPU Exhaustion

IF CPU > 90% for 5 minutes
AND no traffic surge
THEN alert "DoS via Logical Loop"

TLS Downgrade

IF TLS version < 1.2
OR weak cipher negotiated
THEN alert "TLS Downgrade Detected"

Official Patch Information

Remediation Status

Vendor-supplied fixes are available.

Official Patch Source

Juniper Networks Support Portal – Security Bulletins (JSB)
https://supportportal.juniper.net/

Patch Guidance

  • Upgrade to fixed Junos OS / Junos OS Evolved releases
  • Apply interim hotfixes where full upgrade is not feasible
  • Reboot affected PFEs after patching

Final Takeaway

These vulnerabilities are low-effort, high-impact, and well-suited for intentional disruption attacks.

Repeated crashes, forwarding failures, or CPU spikes should always be treated as potential security incidents.

Key Actions

  1. Patch immediately
  2. Monitor daemon stability
  3. Watch the data plane as closely as the control plane
  4. Assume DoS may be deliberate

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.