Skip to main content

Junos OS Evolved CVE-2026-33794

| EUVDEUVD-2026-42699 HIGH
Improper Check for Unusual or Exceptional Conditions (CWE-754)
2026-07-09 sirt@juniper.net GHSA-978v-9chj-92p2
8.2
CVSS 4.0 · Vendor: juniper
Share

Severity by source

Vendor (juniper) PRIMARY
8.2 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:M/U:Green
vuln.today AI
5.9 MEDIUM

Network-reachable and unauthenticated (AV:N/PR:N) but the trigger depends on events outside attacker control, so AC:H; impact is availability-only (A:H) with no confidentiality or integrity effect.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L

Primary rating from Vendor (juniper).

CVSS VectorVendor: juniper

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:M/U:Green
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 09, 2026 - 22:01 EUVD
Analysis Generated
Jul 09, 2026 - 21:34 vuln.today

DescriptionCVE.org

An Improper Check for Unusual or Exceptional Conditions vulnerability in the

advanced forwarding toolkit (evo-aftmand)

of Juniper Networks Junos OS Evolved on PTX Series allows an unauthenticated network-based attacker generating continuous routing updates, resulting in unilist ECMP routes, to crash the

evo-aftmand process on the PFE, leading to a Denial-of-Service (DoS). The conditions required for successful exploitation are based on a sequence of events that are outside an attacker's direct control.

Unified list (unilist) ECMP routes are a specific ECMP behavior where multiple equal-cost routes share a single logical next-hop list entry. The router treats them as one route with multiple next hops and load balances traffic across that unified list. Due to an issue processing unilist ECMP routing updates, internal state corruption may occur, especially in large-scale ECMP unilist deployments, leading to the evo-aftmand process crashing, resulting in an evo-aftmand-bx core. Manual intervention is required to recover by rebooting the system or restarting the FPC.

This issue affects Junos OS Evolved on PTX :

  • from 24.4R2-EVO before 24.4R2-S3-EVO;
  • from 25.2 before 25.2R2-EVO.

AnalysisAI

Denial-of-service in Juniper Junos OS Evolved on PTX Series routers lets an unauthenticated network attacker crash the advanced forwarding toolkit process (evo-aftmand) on the Packet Forwarding Engine by driving continuous routing updates that produce unified-list (unilist) ECMP routes. The resulting internal state corruption generates an evo-aftmand-bx core and halts forwarding, requiring a manual FPC restart or system reboot to recover. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach PTX routing plane
Delivery
Inject continuous routing updates
Exploit
Form large-scale unilist ECMP routes
Execution
Corrupt evo-aftmand internal state
Persist
Crash PFE process (core)
Impact
Forwarding DoS until manual FPC restart

Vulnerability AssessmentAI

Exploitation Exploitation requires the target to be a PTX Series router running Junos OS Evolved 24.4R2-EVO through pre-24.4R2-S3-EVO or 25.2 through pre-25.2R2-EVO, and the attacker must be able to generate continuous routing updates that cause the router to form unilist (unified-list) ECMP routes - the specific condition is the processing of unilist ECMP routing updates, most impactful in large-scale ECMP unilist deployments. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are internally consistent and point to a real but conditional availability risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker positioned to influence routing state toward an exposed PTX core router (for example via a peering session or upstream route injection) generates continuous routing updates that repeatedly create and churn equal-cost paths, driving the router to build large-scale unilist ECMP next-hop structures. Under the right sequence of updates, evo-aftmand mishandles the exceptional condition, corrupts internal state, and cores on the PFE, dropping forwarding on that FPC until an operator manually restarts it. …
Remediation Vendor-released patch: upgrade to Junos OS Evolved 24.4R2-S3-EVO or later on the 24.4 train, or 25.2R2-EVO or later on the 25.2 train, per Juniper advisory JSA110073 (https://supportportal.juniper.net/JSA110073). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all PTX Series routers running Junos OS Evolved and assess network criticality to business operations. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2021-31353 HIGH POC
7.5 Oct 19

An Improper Handling of Exceptional Conditions vulnerability in Juniper Networks Junos OS and Junos OS Evolved allows an

CVE-2024-39553 MEDIUM POC
6.9 Jul 11

An Exposure of Resource to Wrong Sphere vulnerability in the sampling service of Juniper Networks Junos OS Evolved allow

CVE-2021-0211 CRITICAL
10.0 Jan 15

An improper check for unusual or exceptional conditions in Juniper Networks Junos OS and Junos OS Evolved Routing Protoc

CVE-2022-22215 MEDIUM POC
5.5 Jul 20

A Missing Release of File Descriptor or Handle after Effective Lifetime vulnerability in plugable authentication module

CVE-2023-44182 HIGH
8.8 Oct 13

An Unchecked Return Value vulnerability in the user interfaces to the Juniper Networks Junos OS and Junos OS Evolved, th

CVE-2023-28983 HIGH
8.8 Apr 17

An OS Command Injection vulnerability in gRPC Network Operations Interface (gNOI) server module of Juniper Networks Juno

CVE-2022-22239 HIGH
8.8 Oct 18

An Execution with Unnecessary Privileges vulnerability in Management Daemon (mgd) of Juniper Networks Junos OS Evolved a

CVE-2021-31354 HIGH
8.8 Oct 19

An Out Of Bounds (OOB) access vulnerability in the handling of responses by a Juniper Agile License (JAL) Client in Juni

CVE-2021-31350 HIGH
8.8 Oct 19

An Improper Privilege Management vulnerability in the gRPC framework, used by the Juniper Extension Toolkit (JET) API on

CVE-2021-0208 HIGH
8.8 Jan 15

An improper input validation vulnerability in the Routing Protocol Daemon (RPD) service of Juniper Networks Junos OS all

CVE-2025-30651 HIGH
8.7 Apr 09

A Buffer Access with Incorrect Length Value vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos

CVE-2024-47502 HIGH
8.7 Oct 11

An Allocation of Resources Without Limits or Throttling vulnerability in the kernel of Juniper Networks Junos OS Evolved

Share

CVE-2026-33794 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy