Skip to main content

Junos OS Evolved CVE-2026-57029

| EUVDEUVD-2026-42718 MEDIUM
Missing Synchronization (CWE-820)
2026-07-09 juniper GHSA-x7gh-cpmx-x9cj
6.0
CVSS 4.0 · Vendor: juniper
Share

Severity by source

Vendor (juniper) PRIMARY
6.0 MEDIUM
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:M/U:X
vuln.today AI
5.3 MEDIUM

Adjacent vector; AC:H because exploitation requires an uncontrollable race condition timing window; no privileges needed; high availability impact on the forwarding plane when triggered.

3.1 AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L

Primary rating from Vendor (juniper).

CVSS VectorVendor: juniper

CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:M/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jul 09, 2026 - 23:02 EUVD
Analysis Generated
Jul 09, 2026 - 22:23 vuln.today
CVSS changed
Jul 09, 2026 - 22:22 NVD
5.3 (MEDIUM) 6.0 (MEDIUM)

DescriptionCVE.org

A Missing Synchronization vulnerability in the flow collector handler of Juniper Networks Junos OS Evolved on QFX Series allows an adjacent, unauthenticated attacker to cause a Denial-of-Service (DoS).

When the reachability of an sFlow collector changes, the corresponding next-hop entry is updated. If this update occurs simultaneously with the sFlow thread accessing the next-hop data (which is outside the attackers control), it causes the evo-pfemand process to crash, impacting all traffic forwarding until the automatic process restart has completed.

This issue affects Junos OS Evolved on QFX Series:

  • all 23.2 versions,
  • 23.4 versions before 23.4R2-S7-EVO,
  • 24.2 versions before 24.2R2-S5-EVO,
  • 24.4 versions before 24.4R2-S3-EVO,
  • 25.2 versions before 25.2R2-EVO.

AnalysisAI

Traffic forwarding on Juniper QFX Series switches running Junos OS Evolved can be fully disrupted by an adjacent, unauthenticated attacker exploiting a race condition in the sFlow collector handler. When sFlow collector reachability changes trigger a next-hop entry update concurrently with the sFlow thread reading that same next-hop data, the evo-pfemand process crashes and all packet forwarding halts until the process automatically restarts. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain adjacent network position on QFX segment
Delivery
Disrupt sFlow collector reachability to trigger next-hop update
Exploit
Race condition aligns sFlow thread read with next-hop write
Execution
evo-pfemand process crashes
Impact
All traffic forwarding halts until automatic restart

Vulnerability AssessmentAI

Exploitation sFlow must be actively configured on the Junos OS Evolved QFX device - this vulnerability is not reachable on devices where sFlow collection is not enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.0 (Medium) reflects the combination of adjacent-only reach (AV:A), a probabilistic attack requirement (AT:P), no required privileges (PR:N), and high vulnerable-system availability impact (VA:H) with low subsequent-system availability impact (SA:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with layer-2 adjacency to a QFX switch running sFlow-enabled Junos OS Evolved disrupts connectivity to the configured sFlow collector - for example by generating ARP storms, manipulating routing adjacencies, or physically disconnecting an upstream link - causing the device to repeatedly update the sFlow next-hop entry. If one of these updates coincides with the sFlow thread actively reading the next-hop data, evo-pfemand crashes and the switch drops all in-flight and subsequent traffic until the process restarts. …
Remediation Upgrade Junos OS Evolved on affected QFX Series devices to a fixed release: 23.4R2-S7-EVO or later in the 23.4 train, 24.2R2-S5-EVO or later in the 24.2 train, 24.4R2-S3-EVO or later in the 24.4 train, or 25.2R2-EVO or later in the 25.2 train. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2021-31353 HIGH POC
7.5 Oct 19

An Improper Handling of Exceptional Conditions vulnerability in Juniper Networks Junos OS and Junos OS Evolved allows an

CVE-2024-39553 MEDIUM POC
6.9 Jul 11

An Exposure of Resource to Wrong Sphere vulnerability in the sampling service of Juniper Networks Junos OS Evolved allow

CVE-2021-0211 CRITICAL
10.0 Jan 15

An improper check for unusual or exceptional conditions in Juniper Networks Junos OS and Junos OS Evolved Routing Protoc

CVE-2022-22215 MEDIUM POC
5.5 Jul 20

A Missing Release of File Descriptor or Handle after Effective Lifetime vulnerability in plugable authentication module

CVE-2023-44182 HIGH
8.8 Oct 13

An Unchecked Return Value vulnerability in the user interfaces to the Juniper Networks Junos OS and Junos OS Evolved, th

CVE-2023-28983 HIGH
8.8 Apr 17

An OS Command Injection vulnerability in gRPC Network Operations Interface (gNOI) server module of Juniper Networks Juno

CVE-2022-22239 HIGH
8.8 Oct 18

An Execution with Unnecessary Privileges vulnerability in Management Daemon (mgd) of Juniper Networks Junos OS Evolved a

CVE-2021-31354 HIGH
8.8 Oct 19

An Out Of Bounds (OOB) access vulnerability in the handling of responses by a Juniper Agile License (JAL) Client in Juni

CVE-2021-31350 HIGH
8.8 Oct 19

An Improper Privilege Management vulnerability in the gRPC framework, used by the Juniper Extension Toolkit (JET) API on

CVE-2021-0208 HIGH
8.8 Jan 15

An improper input validation vulnerability in the Routing Protocol Daemon (RPD) service of Juniper Networks Junos OS all

CVE-2025-30651 HIGH
8.7 Apr 09

A Buffer Access with Incorrect Length Value vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos

CVE-2024-47502 HIGH
8.7 Oct 11

An Allocation of Resources Without Limits or Throttling vulnerability in the kernel of Juniper Networks Junos OS Evolved

Share

CVE-2026-57029 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy