TLS
CVE-2026-21917
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
An Improper Validation of Syntactic Correctness of Input vulnerability in the Web-Filtering module of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).
If an SRX device configured for UTM Web-Filtering receives a specifically malformed SSL packet, this will cause an FPC crash and restart. This issue affects Junos OS on SRX Series:
- 23.2 versions from 23.2R2-S2 before 23.2R2-S5,
- 23.4 versions from 23.4R2-S1 before 23.4R2-S5,
- 24.2 versions before 24.2R2-S2,
- 24.4 versions before 24.4R1-S3, 24.4R2.
Earlier versions of Junos are also affected, but no fix is available.
AnalysisAI
Malformed SSL packets can trigger a Denial-of-Service condition in Juniper SRX devices running Junos OS with UTM Web-Filtering enabled, causing Forwarding Processor Card (FPC) crashes and restarts without requiring authentication. An unauthenticated network-based attacker can exploit this input validation flaw in the Web-Filtering module to disrupt device availability across affected Junos versions (23.2R2-S2 through 24.4R2). No patches are currently available for earlier Junos versions, and affected systems remain vulnerable until updates are applied.
Technical ContextAI
Affects the Web-Filtering component of Junos. An Improper Validation of Syntactic Correctness of Input vulnerability in the Web-Filtering module of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).
If an SRX device configured for UTM Web-Filtering receives a specifically malformed SSL packet, this will cause an FPC crash and restart. This issue affects Junos OS on SRX Series:
- 23.2 versions from 23.2R2-S2 before 23.2R2-S5,
- 23.4 versions from 23.4R2-S1
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
MajorDoMo home automation platform is vulnerable to unauthenticated remote code execution through supply chain compromis
Unauthenticated backup download and RCE in Nginx UI before 2.3.3. EPSS 1.0%. PoC available.
FastCGI path splitting vulnerability in Caddy before 2.11.1 allows request smuggling or path confusion when proxying to
TLS error swallowing in Caddy web server before 2.11.1 allows bypassing client certificate authentication. Errors in Cli
Host header case sensitivity bypass in Caddy before 2.11.1. Virtual host routing can be bypassed by using alternate casi
Case sensitivity bypass in Caddy web server path matching before 2.11.1. HTTP path matchers can be bypassed using altern
Alist file manager has an improper certificate validation vulnerability allowing MITM attacks that could compromise file
Caddy versions 2.10.0 through 2.11.1 fail to strip client-supplied headers in the forward_auth copy_headers directive, e
FunJSQ, a third-party module integrated on some NETGEAR routers and Orbi WiFi Systems, does not properly validate TLS ce
Caddy versions 2.7.5 through 2.11.1 contain a template injection vulnerability in the vars_regexp matcher that allows re
SumatraPDF versions 3.5.0 through 3.5.2 fail to validate TLS certificates during software updates and execute installers
EVerest is an EV charging software stack. In versions 2025.9.0 and below, an attacker can exhaust the operating system's
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today