Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:M/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:M/U:X
Lifecycle Timeline
7DescriptionCVE.org
An Improper Check for Unusual or Exceptional Conditions vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on specific EX and QFX Series devices allow an unauthenticated, adjacent attacker to cause a complete Denial of Service (DoS).
On EX4k, and QFX5k platforms configured as service-provider edge devices, if L2PT is enabled on the UNI and VSTP is enabled on NNI in VXLAN scenarios, receiving VSTP BPDUs on UNI leads to packet buffer allocation failures, resulting in the device to not pass traffic anymore until it is manually recovered with a restart.This issue affects Junos OS:
- 24.4 releases before 24.4R2,
- 25.2 releases before 25.2R1-S1, 25.2R2.
This issue does not affect Junos OS releases before 24.4R1.
AnalysisAI
Packet buffer allocation failure in Juniper EX4000 and QFX5000 Series switches allows adjacent unauthenticated attackers to cause persistent Denial of Service requiring manual device restart. Attack vector requires specific configuration: device configured as service-provider edge with L2PT enabled on UNI and VSTP enabled on NNI in VXLAN scenarios. Receiving VSTP BPDUs on UNI triggers buffer exhaustion, halting all traffic forwarding. Affects Junos OS 24.4 through 24.4R1, 25.2 through 25.2R1. No public exploit identified at time of analysis.
Technical ContextAI
CWE-754 improper exceptional condition handling in packet forwarding engine. Vulnerable code lacks validation when processing VSTP Bridge Protocol Data Units received on User Network Interface in Layer 2 Protocol Tunneling configurations with VXLAN. Buffer allocation failures cascade into complete forwarding plane shutdown requiring manual intervention beyond automatic recovery mechanisms.
RemediationAI
Vendor-released patches: upgrade to Junos OS 24.4R2 or later for 24.4 branch; upgrade to 25.2R1-S1, 25.2R2, or later for 25.2 branch. Releases prior to 24.4R1 are unaffected and do not require action. Configuration-based workarounds: disable L2PT on UNI interfaces or disable VSTP on NNI interfaces to break attack prerequisites, though this may impact service-provider edge functionality. Implement network segmentation to restrict adjacent network access to trusted devices only. Full advisory and configuration guidance available at https://kb.juniper.net/JSA107869. Organizations unable to immediately patch should evaluate configuration changes against operational requirements and monitor affected devices for traffic forwarding anomalies.
Juniper ScreenOS 6.2.0r15 through 6.2.0r18, 6.3.0r12 before 6.3.0r12b, 6.3.0r13 before 6.3.0r13b, 6.3.0r14 before 6.3.0r
A security vulnerability in An Improper (CVSS 6.7) that allows a local attacker with high privileges. Risk factors: acti
A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series and SRX Series all
jsdm/ajax/port.php in J-Web in Juniper Junos before 10.4R13, 11.4 before 11.4R7, 12.1 before 12.1R5, 12.2 before 12.2R3,
An authentication bypass vulnerability in Juniper Networks Junos Space Network Management Platform may allow a remote un
Certain Secure Access SA Series SSL VPN products (originally developed by Juniper Networks but now sold and supported by
Juniper Junos 11.4 before R11, 12.1 before R9, 12.1X44 before D30, 12.1X45 before D20, 12.1X46 before D15, 12.1X47 befor
NFX Series devices using Juniper Networks Junos OS are susceptible to a local command execution vulnerability thereby al
NFX Series devices using Juniper Networks Junos OS are susceptible to a local code execution vulnerability thereby allow
Insufficient validation of environment variables in the telnet client supplied in Junos OS can lead to stack-based buffe
An Out-of-Bounds Write vulnerability in the H.323 ALG of Juniper Networks Junos OS allows an unauthenticated, network-ba
On QFX10000 Series devices using Juniper Networks Junos OS when configured as transit IP/MPLS penultimate hop popping (P
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21199
GHSA-gv4f-m3jw-j3h9