Skip to main content

Juniper Junos OS CVE-2026-57022

| EUVDEUVD-2026-42709 HIGH
Improper Check for Unusual or Exceptional Conditions (CWE-754)
2026-07-09 juniper GHSA-fw4x-gm4m-gfp9
8.2
CVSS 4.0 · Vendor: juniper
Share

Severity by source

Vendor (juniper) PRIMARY
8.2 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:A/V:X/RE:M/U:X
vuln.today AI
5.9 MEDIUM

Network-reachable and unauthenticated (AV:N/PR:N), but AC:H reflects the requirement that the device initiate an outbound connection to the attacker; impact is availability-only PFE DoS (A:H).

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L

Primary rating from Vendor (juniper).

CVSS VectorVendor: juniper

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:A/V:X/RE:M/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
Patch available
Jul 09, 2026 - 23:02 EUVD
Analysis Updated
Jul 09, 2026 - 22:33 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 09, 2026 - 22:32 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 09, 2026 - 22:22 vuln.today
cvss_changed
Severity Changed
Jul 09, 2026 - 22:22 NVD
MEDIUM HIGH
CVSS changed
Jul 09, 2026 - 22:22 NVD
5.9 (MEDIUM) 8.2 (HIGH)
Analysis Generated
Jul 09, 2026 - 22:18 vuln.today
CVE Published
Jul 09, 2026 - 21:06 cve.org
MEDIUM 5.9

DescriptionCVE.org

An Improper Check for Unusual or Exceptional Conditions vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on MX with SPC3 and SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).

When an affected device initiates a TCP connection to an attacker-controlled system that responds with a specific packet, this causes a PFE crash and restart, which affects all services until the system has automatically recovered. This issue can happen among others in the following scenarios: ALG, SSL proxy, UTM, RTLOG, AppQoE probing, AAMW, ICAP, URL filtering.

This issue affects Junos OS on MX Series with SPC3, SRX5k Series with SPC3, SRX1600 Series, SRX2300 Series, SRX4000 Series, and vSRX Series:

  • all versions before 23.2R2-S4,
  • 23.4 versions before 23.4R2-S5,
  • 24.2 versions before 24.2R2.

AnalysisAI

Denial-of-service in the Packet Forwarding Engine (PFE) of Juniper Junos OS on MX (with SPC3) and SRX-series firewalls lets an unauthenticated, network-based attacker crash and restart the PFE, dropping all traffic-forwarding services until automatic recovery. Exploitation is indirect: the attacker must lure or wait for the affected device to initiate an outbound TCP connection to an attacker-controlled system, which then replies with a crafted packet that trips an unhandled exceptional condition (CWE-754). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker hosts malicious TCP responder
Delivery
Induce device outbound connection via flow service
Exploit
Send crafted response packet
Execution
Trigger unhandled condition in PFE (CWE-754)
Persist
PFE crash and restart
Impact
All forwarding services disrupted until recovery

Vulnerability AssessmentAI

Exploitation Exploitation requires that the affected device itself initiate an outbound TCP connection to an attacker-controlled system while running one of the PFE flow services named in the advisory: ALG, SSL proxy, UTM, RTLOG, AppQoE probing, AAMW, ICAP, or URL filtering. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N, VA:H, SA:L) scores 8.2 (High) and captures the key nuance: network reach and no privileges/interaction, but AT:P signals a real attack requirement - the target must first initiate an outbound connection to the attacker, which the attacker cannot force unilaterally. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker stands up a malicious server and induces an SRX/MX device to open an outbound TCP session to it - for instance by getting a monitored client to browse to an attacker domain that the device's URL filtering or SSL proxy then connects to, or by controlling a destination reached via ICAP/AAMW/RTLOG. The attacker's server replies with the specific crafted packet, crashing the PFE and interrupting all forwarded traffic until the engine restarts. …
Remediation Vendor-released patch: upgrade to Junos OS 23.2R2-S4, 23.4R2-S5, 24.2R2, or later per Juniper advisory JSA110082 (https://supportportal.juniper.net/JSA110082). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all Juniper MX (with SPC3) and SRX devices; assess which handle critical traffic paths. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-57026 HIGH
8.7 Jul 09

Denial-of-service in Juniper Networks Junos OS on MX Series (with SPC3) and SRX Series devices allows an unauthenticated

CVE-2026-57023 HIGH
8.7 Jul 09

Remote denial of service in Juniper Networks Junos OS on MX Series (with SPC3) and SRX Series firewalls lets an unauthen

CVE-2026-57030 HIGH
8.2 Jul 09

Denial-of-service in Juniper Networks Junos OS on SRX Series devices lets an unauthenticated, network-based attacker exh

CVE-2026-57032 HIGH
7.1 Jul 09

Denial-of-service in Juniper Networks Junos OS on EX Series switches (EX2300, EX3400, EX4000, EX4100, EX4400) lets a low

CVE-2026-57027 HIGH
7.1 Jul 09

Denial-of-service in Juniper Junos OS on EX4100 and EX4400 Series switches allows an unauthenticated adjacent attacker t

CVE-2026-57020 HIGH
7.1 Jul 09

Denial-of-service in Juniper Networks Junos OS on QFX10000 Series switches allows an unauthenticated, adjacent (Layer 2)

CVE-2026-57019 HIGH
7.1 Jul 09

Denial-of-service in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on MX Series routers lets an unauth

CVE-2026-57021 MEDIUM
6.9 Jul 09

Out-of-bounds write in the Juniper Networks Junos OS http-gatekeeper (http-gk) process on SRX Series firewalls crashes t

CVE-2026-57024 MEDIUM
6.9 Jul 09

Repeated IKE negotiation failures on Juniper Junos OS (MX with SPC3 and SRX Series) cause a peer index rollover that ass

CVE-2026-57054 MEDIUM
6.9 Jul 09

Web filtering bypass on Juniper Networks Junos OS MX Series exposes downstream resources to unauthenticated network atta

CVE-2026-57025 MEDIUM
6.8 Jul 09

Denial-of-service in Juniper Networks Junos OS and Junos OS Evolved on EX Series, QFX Series, and MX Series allows a loc

CVE-2026-33802 MEDIUM
6.8 Jul 09

Junos OS on Juniper EX Series access switches exposes a missing authorization flaw in the CLI that allows any locally au

Share

CVE-2026-57022 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy