Skip to main content

Juniper CVE-2026-33773

| EUVDEUVD-2026-21085 MEDIUM
Incorrect Initialization of Resource (CWE-1419)
2026-04-09 juniper
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
24.2R2-S4,23.4R2-S7
EUVD ID Assigned
Apr 09, 2026 - 21:45 euvd
EUVD-2026-21085
Analysis Generated
Apr 09, 2026 - 21:45 vuln.today
CVE Published
Apr 09, 2026 - 21:28 nvd
MEDIUM 6.9

DescriptionCVE.org

An Incorrect Initialization of Resource vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on specific EX Series and QFX Series device allows an unauthenticated, network-based attacker to cause an integrity impact to downstream networks.

When the same family inet or inet6 filter is applied on an IRB interface and on a physical interface as egress filter on EX4100, EX4400, EX4650 and QFX5120 devices, only one of the two filters will be applied, which can lead to traffic being sent out one of these interfaces which should have been blocked.

This issue affects Junos OS on EX Series and QFX Series:

  • 23.4 version 23.4R2-S6,
  • 24.2 version 24.2R2-S3.

No other Junos OS versions are affected.

AnalysisAI

Packet forwarding engine (pfe) in Juniper Networks Junos OS on EX4100, EX4400, EX4650, and QFX5120 devices fails to correctly initialize egress filters on IRB and physical interfaces, allowing unauthenticated network-based attackers to bypass security policies and cause integrity impact by forwarding traffic that should be blocked. The vulnerability affects Junos OS versions 23.4R2-S6 and 24.2R2-S3. EPSS score of 6.9 reflects moderate exploitation probability; no active exploitation confirmed (non-KEV status).

Technical ContextAI

The vulnerability exists in the packet forwarding engine's (pfe) filter application logic on specific EX Series (campus Ethernet switches) and QFX Series (core routing platforms) devices. When identical inet or inet6 family filters are configured as egress policies on both an Integrated Routing and Bridging (IRB) interface and a physical interface on the same device, the filter initialization routine fails to apply both filters correctly-only one is enforced. This is classified as CWE-1419 (Incorrect Initialization with Hard-Coded Network Resource Configuration Values), indicating a fundamental resource initialization flaw in the forwarding pipeline. The affected CPE is cpe:2.3:a:juniper_networks:junos_os:*:*:*:*:*:*:*:*, though only specific hardware SKUs (EX4100, EX4400, EX4650, QFX5120) and OS versions exhibit the defect.

RemediationAI

Juniper has released patches for both affected branches: upgrade to Junos OS version 23.4R2-S7 or later for the 23.4 line, or upgrade to version 24.2R2-S4 or later for the 24.2 line. The fundamental fix corrects the packet forwarding engine's filter initialization routine to properly apply egress filters on both IRB and physical interfaces simultaneously. Until patching is possible, operators can mitigate by: (1) applying the same egress filter only on the physical interface (not on the IRB), or (2) ensuring that firewall policy enforcement is redundant at upstream network boundaries or at Layer 3 policy enforcement points. Consult Juniper advisory JSA107815 for the exact patch versions, detailed upgrade procedures, and confirmation that your device hardware SKU is addressed by the released patches.

CVE-2015-7755 CRITICAL POC
9.8 Dec 19

Juniper ScreenOS 6.2.0r15 through 6.2.0r18, 6.3.0r12 before 6.3.0r12b, 6.3.0r13 before 6.3.0r13b, 6.3.0r14 before 6.3.0r

CVE-2025-21590 MEDIUM
6.7 Mar 12

A security vulnerability in An Improper (CVSS 6.7) that allows a local attacker with high privileges. Risk factors: acti

CVE-2023-36845 CRITICAL POC
9.8 Aug 17

A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series and SRX Series all

CVE-2013-6618 CRITICAL POC
9.0 Nov 05

jsdm/ajax/port.php in J-Web in Juniper Junos before 10.4R13, 11.4 before 11.4R7, 12.1 before 12.1R5, 12.2 before 12.2R3,

CVE-2017-10622 CRITICAL
9.8 Oct 13

An authentication bypass vulnerability in Juniper Networks Junos Space Network Management Platform may allow a remote un

CVE-2018-20193 HIGH POC
8.8 Dec 21

Certain Secure Access SA Series SSL VPN products (originally developed by Juniper Networks but now sold and supported by

CVE-2014-6380 HIGH POC
7.8 Oct 14

Juniper Junos 11.4 before R11, 12.1 before R9, 12.1X44 before D30, 12.1X45 before D20, 12.1X46 before D15, 12.1X47 befor

CVE-2021-0253 HIGH POC
7.8 Apr 22

NFX Series devices using Juniper Networks Junos OS are susceptible to a local command execution vulnerability thereby al

CVE-2021-0252 HIGH POC
7.8 Apr 22

NFX Series devices using Juniper Networks Junos OS are susceptible to a local code execution vulnerability thereby allow

CVE-2019-0053 HIGH POC
7.8 Jul 11

Insufficient validation of environment variables in the telnet client supplied in Junos OS can lead to stack-based buffe

CVE-2023-22415 HIGH POC
7.5 Jan 13

An Out-of-Bounds Write vulnerability in the H.323 ALG of Juniper Networks Junos OS allows an unauthenticated, network-ba

CVE-2022-22223 HIGH POC
7.5 Oct 18

On QFX10000 Series devices using Juniper Networks Junos OS when configured as transit IP/MPLS penultimate hop popping (P

Share

CVE-2026-33773 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy