Skip to main content

Junos OS CVE-2026-33800

| EUVDEUVD-2026-42701 HIGH
Unchecked Input for Loop Condition (CWE-606)
2026-07-09 sirt@juniper.net GHSA-cxfq-ph57-rvh2
7.1
CVSS 4.0 · Vendor: juniper
Share

Severity by source

Vendor (juniper) PRIMARY
7.1 MEDIUM
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:M/U:X
vuln.today AI
6.5 MEDIUM

Adjacent BFD peering (AV:A) with low-complexity flapping and no auth (AC:L/PR:N), availability-only FPC crash (A:H, C:N/I:N); scope kept Unchanged as the FPC is the vulnerable component.

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L

Primary rating from Vendor (juniper).

CVSS VectorVendor: juniper

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:M/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 09, 2026 - 22:01 EUVD
Analysis Generated
Jul 09, 2026 - 21:35 vuln.today

DescriptionCVE.org

An Unchecked Input for Loop Condition vulnerability in the Packet Forwarding Engine (pfe) of Juniper Networks Junos OS on MX Series allows an unauthenticated, adjacent attacker to cause a Denial-of-Service (DoS).Micro-BFD session flaps generate respective up/down events which are queued by PFEMAN for processing. Especially in a Virtual-Chassis (VC) scenario with locality‑bias configured, processing takes a significant amount of time for each event. If these sessions keep flapping, new events are constantly added, and in turn PFEMAN never completes processing these events. This results in the PFEMAN watchdog timer expiring, which causes the FPC to crash and restart, representing a complete service outage.

This issue only affects MX series FPCs up to and including MPC9. It does not affect MPC10/11, LC4800/9600 and MX304.

This issue affects Junos OS on MX Series:

  • all versions before 23.2R2-S7,
  • 23.4 versions before 23.4R2-S8,
  • 24.2 versions before 24.2R2-S4,
  • 24.4 versions before 24.4R2-S3,
  • 25.2 versions before 25.2R2.

AnalysisAI

Denial-of-service in the Packet Forwarding Engine of Juniper Junos OS on MX Series routers allows an unauthenticated, network-adjacent attacker to crash and restart the FPC by continuously flapping Micro-BFD sessions. The PFEMAN process queues each up/down event and, in a Virtual-Chassis deployment with locality-bias enabled, processing is slow enough that a sustained flap backlog prevents completion and trips the PFEMAN watchdog timer, forcing an FPC restart and a full traffic outage. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain adjacent BFD peering position
Delivery
Rapidly flap Micro-BFD sessions
Exploit
Flood PFEMAN event queue
Execution
Prevent event-loop completion
Persist
Trip PFEMAN watchdog timer
Impact
Crash and restart FPC (service outage)

Vulnerability AssessmentAI

Exploitation Exploitation requires network-adjacent access with an active Micro-BFD peering to the target MX router, and the target must be running an affected Junos version on an MPC9-or-earlier FPC configured in a Virtual-Chassis with locality-bias enabled - this specific VC-plus-locality-bias configuration is what makes per-event processing slow enough to backlog PFEMAN and trip the watchdog. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 score is 7.1 (High) with vector AV:A/AC:L/AT:N/PR:N/UI:N and VA:H, indicating a low-complexity, unauthenticated attack reachable only from an adjacent (Layer-2/BFD peering) position, producing high availability impact with a low subsequent-system availability impact (SA:L) consistent with a Virtual-Chassis outage. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker positioned on an adjacent network segment that peers with an affected MX router over Micro-BFD (for example a compromised or rogue device on a monitored LAG link) repeatedly and rapidly transitions its BFD sessions up and down. In a Virtual-Chassis with locality-bias enabled, the flood of flap events overwhelms PFEMAN's event queue faster than it can process them, tripping the watchdog and crashing the FPC to cause a service outage. …
Remediation Vendor-released patches are available - upgrade to the fixed release for your train: 23.2R2-S7 or later, 23.4R2-S8 or later, 24.2R2-S4 or later, 24.4R2-S3 or later, or 25.2R2 or later, per Juniper advisory JSA110075 (https://supportportal.juniper.net/JSA110075). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all MX Series deployments; identify affected line card models (MPC9 and below) and network topology exposure to adjacent attackers. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2015-7755 CRITICAL POC
9.8 Dec 19

Juniper ScreenOS 6.2.0r15 through 6.2.0r18, 6.3.0r12 before 6.3.0r12b, 6.3.0r13 before 6.3.0r13b, 6.3.0r14 before 6.3.0r

CVE-2025-21590 MEDIUM
6.7 Mar 12

A security vulnerability in An Improper (CVSS 6.7) that allows a local attacker with high privileges. Risk factors: acti

CVE-2023-36845 CRITICAL POC
9.8 Aug 17

A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series and SRX Series all

CVE-2013-6618 CRITICAL POC
9.0 Nov 05

jsdm/ajax/port.php in J-Web in Juniper Junos before 10.4R13, 11.4 before 11.4R7, 12.1 before 12.1R5, 12.2 before 12.2R3,

CVE-2017-10622 CRITICAL
9.8 Oct 13

An authentication bypass vulnerability in Juniper Networks Junos Space Network Management Platform may allow a remote un

CVE-2018-20193 HIGH POC
8.8 Dec 21

Certain Secure Access SA Series SSL VPN products (originally developed by Juniper Networks but now sold and supported by

CVE-2014-6380 HIGH POC
7.8 Oct 14

Juniper Junos 11.4 before R11, 12.1 before R9, 12.1X44 before D30, 12.1X45 before D20, 12.1X46 before D15, 12.1X47 befor

CVE-2021-0253 HIGH POC
7.8 Apr 22

NFX Series devices using Juniper Networks Junos OS are susceptible to a local command execution vulnerability thereby al

CVE-2021-0252 HIGH POC
7.8 Apr 22

NFX Series devices using Juniper Networks Junos OS are susceptible to a local code execution vulnerability thereby allow

CVE-2019-0053 HIGH POC
7.8 Jul 11

Insufficient validation of environment variables in the telnet client supplied in Junos OS can lead to stack-based buffe

CVE-2023-22415 HIGH POC
7.5 Jan 13

An Out-of-Bounds Write vulnerability in the H.323 ALG of Juniper Networks Junos OS allows an unauthenticated, network-ba

CVE-2022-22223 HIGH POC
7.5 Oct 18

On QFX10000 Series devices using Juniper Networks Junos OS when configured as transit IP/MPLS penultimate hop popping (P

Share

CVE-2026-33800 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy