Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:M/U:X
Local CLI access and a low-privileged account are required; only availability is impacted via temporary process crash with no confidentiality or integrity effect.
Primary rating from Vendor (juniper).
CVSS VectorVendor: juniper
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:M/U:X
Lifecycle Timeline
3DescriptionCVE.org
A Return of Pointer Value Outside of Expected Range vulnerability in the fileio library of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privilged attacker to cause a Denial-of-Service (DoS).
On EX Series, QFX Series and MX Series a low-privileged attacker issuing a specific 'show l2-learning' command will cause an l2ald crash which will lead to a temporary service impact for all layer 2 services until the process has automatically restarted.
This issue affects EX Series, QFX Series, MX Series: Junos OS:
- all versions before 23.2R2-S7,
- 23.4 versions before 23.4R2-S7,
- 24.2 versions before 24.2R2,
- 24.4 versions before 24.4R1-S2.
Junos OS Evolved:
- all versions before 23.2R2-S7-EVO,
- 23.4 versions before 23.4R2-S8-EVO,
- 24.2 versions before 24.2R2-EVO,
- 24.4 versions before 24.4R1-S3-EVO.
AnalysisAI
Denial-of-service in Juniper Networks Junos OS and Junos OS Evolved on EX Series, QFX Series, and MX Series allows a local, low-privileged attacker to crash the l2ald (Layer 2 Address Learning Daemon) by issuing a specific 'show l2-learning' CLI command, disrupting all Layer 2 services until the process automatically restarts. The root cause is a Return of Pointer Value Outside of Expected Range flaw (CWE-466) in the fileio library. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local CLI access to the affected Juniper device (AV:L confirmed by CVSS vector), which in practice means SSH, console, or out-of-band management access. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 5.5 (Medium) accurately reflects the constrained attack surface: AV:L requires the attacker to have local CLI access to the device, and PR:L requires at least a low-privileged account - meaning unauthenticated remote exploitation is not possible. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a low-privileged Junos CLI account - for example, a read-only NOC operator account or a compromised service account - logs into an affected EX, QFX, or MX device via SSH and issues a specific 'show l2-learning' command. This triggers the pointer out-of-range condition in the fileio library, crashing l2ald and dropping all Layer 2 forwarding state on the device until the process restarts, potentially causing network outages for downstream users. … |
| Remediation | The primary fix is to upgrade to a patched Junos OS release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Denial-of-service in Juniper Networks Junos OS on MX Series (with SPC3) and SRX Series devices allows an unauthenticated
Remote denial of service in Juniper Networks Junos OS on MX Series (with SPC3) and SRX Series firewalls lets an unauthen
Denial-of-service in the Packet Forwarding Engine (PFE) of Juniper Junos OS on MX (with SPC3) and SRX-series firewalls l
Denial-of-service in Juniper Networks Junos OS on SRX Series devices lets an unauthenticated, network-based attacker exh
Denial-of-service in Juniper Networks Junos OS on EX Series switches (EX2300, EX3400, EX4000, EX4100, EX4400) lets a low
Denial-of-service in Juniper Junos OS on EX4100 and EX4400 Series switches allows an unauthenticated adjacent attacker t
Denial-of-service in Juniper Networks Junos OS on QFX10000 Series switches allows an unauthenticated, adjacent (Layer 2)
Denial-of-service in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on MX Series routers lets an unauth
Out-of-bounds write in the Juniper Networks Junos OS http-gatekeeper (http-gk) process on SRX Series firewalls crashes t
Repeated IKE negotiation failures on Juniper Junos OS (MX with SPC3 and SRX Series) cause a peer index rollover that ass
Web filtering bypass on Juniper Networks Junos OS MX Series exposes downstream resources to unauthenticated network atta
Junos OS on Juniper EX Series access switches exposes a missing authorization flaw in the CLI that allows any locally au
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42713
GHSA-q958-7f7x-pmq4