Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:M/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:M/U:X
Lifecycle Timeline
7DescriptionCVE.org
A Missing Release of Memory after Effective Lifetime vulnerability in the Layer 2 Address Learning Daemon (l2ald) of Juniper Networks Junos OS and Junos OS Evolved allows an adjacent, unauthenticated attacker to cause a memory leak ultimately leading to a Denial of Service (DoS).
In an EVPN-MPLS scenario, routes learned from remote multi-homed Provider Edge (PE) devices are programmed as ESI routes. Due to a logic issue in the l2ald memory management, memory allocated for these routes is not released when there is churn for these routes. As a result, memory leaks in the l2ald process which will ultimately lead to a crash and restart of l2ald.
Use the following command to monitor the memory consumption by l2ald:
user@device> show system process extensive | match "PID|l2ald"
This issue affects:
Junos OS:
- all versions before 22.4R3-S5,
- 23.2 versions before 23.2R2-S3,
- 23.4 versions before 23.4R2-S4,
- 24.2 versions before 24.2R2;
Junos OS Evolved:
- all versions before 22.4R3-S5-EVO,
- 23.2 versions before 23.2R2-S3-EVO,
- 23.4 versions before 23.4R2-S4-EVO,
- 24.2 versions before 24.2R2-EVO.
AnalysisAI
Memory leak in Juniper Networks l2ald daemon allows adjacent attackers to crash Layer 2 services on EVPN-MPLS networks. Affects Junos OS and Junos OS Evolved across multiple versions. Unauthenticated attackers on the same network segment can trigger resource exhaustion by causing ESI route churn from multi-homed Provider Edge devices, forcing l2ald process crash and restart. No public exploit identified at time of analysis, but exploitation requires only network adjacency without authentication.
Technical ContextAI
CWE-401 memory management flaw in l2ald daemon fails to release allocated memory for ESI routes learned from remote multi-homed PE devices in EVPN-MPLS topologies. Route churn triggers cumulative memory allocation without corresponding deallocation, causing unbounded resource consumption. CVSS:4.0 adjacency vector (AV:A) with no privilege requirement (PR:N) indicates local network exploitation.
RemediationAI
Vendor-released patches: Junos OS 22.4R3-S5, 23.2R2-S3, 23.4R2-S4, 24.2R2 or later. Junos OS Evolved 22.4R3-S5-EVO, 23.2R2-S3-EVO, 23.4R2-S4-EVO, 24.2R2-EVO or later. Prioritize deployment on systems running EVPN-MPLS configurations with multi-homed PE devices. Monitor l2ald memory consumption using 'show system process extensive | match PID|l2ald' as interim detection. No workaround exists; upgrade to patched releases is required. Official advisory: https://kb.juniper.net/JSA107819. Exploitation requires network adjacency; isolate management and control-plane networks where possible.
Juniper ScreenOS 6.2.0r15 through 6.2.0r18, 6.3.0r12 before 6.3.0r12b, 6.3.0r13 before 6.3.0r13b, 6.3.0r14 before 6.3.0r
A security vulnerability in An Improper (CVSS 6.7) that allows a local attacker with high privileges. Risk factors: acti
A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series and SRX Series all
jsdm/ajax/port.php in J-Web in Juniper Junos before 10.4R13, 11.4 before 11.4R7, 12.1 before 12.1R5, 12.2 before 12.2R3,
An authentication bypass vulnerability in Juniper Networks Junos Space Network Management Platform may allow a remote un
Certain Secure Access SA Series SSL VPN products (originally developed by Juniper Networks but now sold and supported by
Juniper Junos 11.4 before R11, 12.1 before R9, 12.1X44 before D30, 12.1X45 before D20, 12.1X46 before D15, 12.1X47 befor
NFX Series devices using Juniper Networks Junos OS are susceptible to a local command execution vulnerability thereby al
NFX Series devices using Juniper Networks Junos OS are susceptible to a local code execution vulnerability thereby allow
Insufficient validation of environment variables in the telnet client supplied in Junos OS can lead to stack-based buffe
An Out-of-Bounds Write vulnerability in the H.323 ALG of Juniper Networks Junos OS allows an unauthenticated, network-ba
On QFX10000 Series devices using Juniper Networks Junos OS when configured as transit IP/MPLS penultimate hop popping (P
Same weakness CWE-401 – Memory Leak
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21090
GHSA-wcmx-9w9j-q7ph