Skip to main content

Junos OS CVE-2026-21901

| EUVDEUVD-2026-42697 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-07-09 sirt@juniper.net
6.7
CVSS 4.0 · Vendor: juniper
Share

Severity by source

Vendor (juniper) PRIMARY
6.7 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:D/RE:M/U:Green
vuln.today AI
4.4 MEDIUM

Local access and high privileges required to modify SSH config hierarchy; impact is solely mgd availability with no scope change.

3.1 AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (juniper).

CVSS VectorVendor: juniper

CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:D/RE:M/U:Green
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 09, 2026 - 22:01 EUVD
Analysis Generated
Jul 09, 2026 - 21:55 vuln.today

DescriptionCVE.org

A NULL Pointer Dereference vulnerability in the management daemon (mgd) of Juniper Networks Junos OS and Junos OS Evolved allows a local, high-privileged attacker setting or deactivating a specific SSH configuration parameter to create a Denial of Service (DoS).

A local high-privileged user configuring or deactivating a specific 'system services ssh' configuration parameter can exploit a null pointer dereference in one of the functions used by SSH. The function attempts to dereference a null pointer when accessing certain configuration data, resulting in an mgd process crash and restart. Continued execution of these configuration commands will create a sustained Denial of Service (DoS) condition.

This issue affects: Junos OS:

  • from 22.3 before 22.3R3-S5;
  • from 22.4 before 22.4R3-S10;
  • from 23.2 before 23.2R2-S7;
  • from 23.4 before 23.4R2-S8.

This issue does not affect Junos OS before 22.3R1.

Junos OS Evolved:

  • from 22.3R1-EVO before 23.2R2-S7-EVO;
  • from 23.4 before 23.4R2-S8-EVO.

This issue does not affect Junos OS Evolved before 22.3R1-EVO.

AnalysisAI

NULL pointer dereference in the Juniper Networks Junos OS and Junos OS Evolved management daemon (mgd) allows a local, high-privileged attacker to crash the mgd process by manipulating a specific 'system services ssh' configuration parameter. Repeated execution of the offending configuration commands sustains the Denial of Service condition until the action ceases, as mgd will restart but crash again upon re-triggering. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain high-privileged Junos credentials
Delivery
Access device CLI or NETCONF interface
Exploit
Issue set/deactivate on target SSH config parameter
Execution
mgd dereferences null pointer
Persist
mgd process crashes
Impact
Management-plane DoS established

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) local or in-band management access to the Juniper device, (2) a high-privileged account (superuser or equivalent with write access to the 'system services ssh' configuration hierarchy), and (3) execution of a set or deactivate operation on a specific SSH configuration parameter under 'system services ssh'. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.7 (Medium) accurately reflects the constrained real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A network administrator or a threat actor who has obtained high-privileged credentials on a Juniper device issues a configuration command to set or deactivate a specific parameter within the 'system services ssh' hierarchy - for example, via CLI or a NETCONF session. The mgd process dereferences a null pointer while processing the change and crashes, interrupting management-plane access until mgd restarts. …
Remediation The primary remediation is upgrading to a fixed release: for Junos OS, upgrade to 22.3R3-S5, 22.4R3-S10, 23.2R2-S7, or 23.4R2-S8 (or later within each train); for Junos OS Evolved, upgrade to 23.2R2-S7-EVO or 23.4R2-S8-EVO (or later). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2015-7755 CRITICAL POC
9.8 Dec 19

Juniper ScreenOS 6.2.0r15 through 6.2.0r18, 6.3.0r12 before 6.3.0r12b, 6.3.0r13 before 6.3.0r13b, 6.3.0r14 before 6.3.0r

CVE-2025-21590 MEDIUM
6.7 Mar 12

A security vulnerability in An Improper (CVSS 6.7) that allows a local attacker with high privileges. Risk factors: acti

CVE-2023-36845 CRITICAL POC
9.8 Aug 17

A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series and SRX Series all

CVE-2013-6618 CRITICAL POC
9.0 Nov 05

jsdm/ajax/port.php in J-Web in Juniper Junos before 10.4R13, 11.4 before 11.4R7, 12.1 before 12.1R5, 12.2 before 12.2R3,

CVE-2017-10622 CRITICAL
9.8 Oct 13

An authentication bypass vulnerability in Juniper Networks Junos Space Network Management Platform may allow a remote un

CVE-2018-20193 HIGH POC
8.8 Dec 21

Certain Secure Access SA Series SSL VPN products (originally developed by Juniper Networks but now sold and supported by

CVE-2014-6380 HIGH POC
7.8 Oct 14

Juniper Junos 11.4 before R11, 12.1 before R9, 12.1X44 before D30, 12.1X45 before D20, 12.1X46 before D15, 12.1X47 befor

CVE-2021-0253 HIGH POC
7.8 Apr 22

NFX Series devices using Juniper Networks Junos OS are susceptible to a local command execution vulnerability thereby al

CVE-2021-0252 HIGH POC
7.8 Apr 22

NFX Series devices using Juniper Networks Junos OS are susceptible to a local code execution vulnerability thereby allow

CVE-2019-0053 HIGH POC
7.8 Jul 11

Insufficient validation of environment variables in the telnet client supplied in Junos OS can lead to stack-based buffe

CVE-2023-22415 HIGH POC
7.5 Jan 13

An Out-of-Bounds Write vulnerability in the H.323 ALG of Juniper Networks Junos OS allows an unauthenticated, network-ba

CVE-2022-22223 HIGH POC
7.5 Oct 18

On QFX10000 Series devices using Juniper Networks Junos OS when configured as transit IP/MPLS penultimate hop popping (P

Share

CVE-2026-21901 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy