Severity by source
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:M/U:X
Adjacent vector; AC:H because exploitation requires an uncontrollable race condition timing window; no privileges needed; high availability impact on the forwarding plane when triggered.
Primary rating from Vendor (juniper).
CVSS VectorVendor: juniper
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:M/U:X
Lifecycle Timeline
3DescriptionCVE.org
A Missing Synchronization vulnerability in the flow collector handler of Juniper Networks Junos OS Evolved on QFX Series allows an adjacent, unauthenticated attacker to cause a Denial-of-Service (DoS).
When the reachability of an sFlow collector changes, the corresponding next-hop entry is updated. If this update occurs simultaneously with the sFlow thread accessing the next-hop data (which is outside the attackers control), it causes the evo-pfemand process to crash, impacting all traffic forwarding until the automatic process restart has completed.
This issue affects Junos OS Evolved on QFX Series:
- all 23.2 versions,
- 23.4 versions before 23.4R2-S7-EVO,
- 24.2 versions before 24.2R2-S5-EVO,
- 24.4 versions before 24.4R2-S3-EVO,
- 25.2 versions before 25.2R2-EVO.
AnalysisAI
Traffic forwarding on Juniper QFX Series switches running Junos OS Evolved can be fully disrupted by an adjacent, unauthenticated attacker exploiting a race condition in the sFlow collector handler. When sFlow collector reachability changes trigger a next-hop entry update concurrently with the sFlow thread reading that same next-hop data, the evo-pfemand process crashes and all packet forwarding halts until the process automatically restarts. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | sFlow must be actively configured on the Junos OS Evolved QFX device - this vulnerability is not reachable on devices where sFlow collection is not enabled. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 6.0 (Medium) reflects the combination of adjacent-only reach (AV:A), a probabilistic attack requirement (AT:P), no required privileges (PR:N), and high vulnerable-system availability impact (VA:H) with low subsequent-system availability impact (SA:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with layer-2 adjacency to a QFX switch running sFlow-enabled Junos OS Evolved disrupts connectivity to the configured sFlow collector - for example by generating ARP storms, manipulating routing adjacencies, or physically disconnecting an upstream link - causing the device to repeatedly update the sFlow next-hop entry. If one of these updates coincides with the sFlow thread actively reading the next-hop data, evo-pfemand crashes and the switch drops all in-flight and subsequent traffic until the process restarts. … |
| Remediation | Upgrade Junos OS Evolved on affected QFX Series devices to a fixed release: 23.4R2-S7-EVO or later in the 23.4 train, 24.2R2-S5-EVO or later in the 24.2 train, 24.4R2-S3-EVO or later in the 24.4 train, or 25.2R2-EVO or later in the 25.2 train. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Junos Os Evolved
View allAn Improper Handling of Exceptional Conditions vulnerability in Juniper Networks Junos OS and Junos OS Evolved allows an
An Exposure of Resource to Wrong Sphere vulnerability in the sampling service of Juniper Networks Junos OS Evolved allow
An improper check for unusual or exceptional conditions in Juniper Networks Junos OS and Junos OS Evolved Routing Protoc
A Missing Release of File Descriptor or Handle after Effective Lifetime vulnerability in plugable authentication module
An Unchecked Return Value vulnerability in the user interfaces to the Juniper Networks Junos OS and Junos OS Evolved, th
An OS Command Injection vulnerability in gRPC Network Operations Interface (gNOI) server module of Juniper Networks Juno
An Execution with Unnecessary Privileges vulnerability in Management Daemon (mgd) of Juniper Networks Junos OS Evolved a
An Out Of Bounds (OOB) access vulnerability in the handling of responses by a Juniper Agile License (JAL) Client in Juni
An Improper Privilege Management vulnerability in the gRPC framework, used by the Juniper Extension Toolkit (JET) API on
An improper input validation vulnerability in the Routing Protocol Daemon (RPD) service of Juniper Networks Junos OS all
A Buffer Access with Incorrect Length Value vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos
An Allocation of Resources Without Limits or Throttling vulnerability in the kernel of Juniper Networks Junos OS Evolved
Same weakness CWE-820 – Missing Synchronization
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42718
GHSA-x7gh-cpmx-x9cj