Skip to main content

Junos EUVDEUVD-2026-21195

| CVE-2026-33774 MEDIUM
Improper Check for Unusual or Exceptional Conditions (CWE-754)
2026-04-09 sirt@juniper.net GHSA-3p5v-chx4-4483
6.9
CVSS 4.0 · Vendor: juniper
Share

Severity by source

Vendor (juniper) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:L/U:X

Primary rating from Vendor (juniper) · only source for this CVE.

CVSS VectorVendor: juniper

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:L/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
23.4R2-S7,24.2R2,24.4R2
EUVD ID Assigned
Apr 09, 2026 - 22:22 euvd
EUVD-2026-21195
Analysis Generated
Apr 09, 2026 - 22:22 vuln.today
CVE Published
Apr 09, 2026 - 22:16 nvd
MEDIUM 6.9

DescriptionCVE.org

An Improper Check for Unusual or Exceptional Conditions vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on MX Series allows an unauthenticated, network-based attacker to bypass the configured firewall filter and access the control-plane of the device.

On MX platforms with

MPC10, MPC11, LC4800 or LC9600

line cards, and MX304, firewall filters applied on a loopback interface lo0.n (where n is a non-0 number) don't get executed when lo0.n is in the global VRF / default routing-instance.

An affected configuration would be:

user@host

show configuration interfaces lo0 | display set

set interfaces lo0 unit 1 family inet filter input <filter-name>

where a firewall filter is applied to a non-0 loopback interface, but that loopback interface is not referred to in any routing-instance (RI) configuration, which implies that it's used in the default RI.

The issue can be observed with the CLI command:

user@device> show firewall counter filter <filter_name>

not showing any matches.

This issue affects Junos OS on MX Series:

  • all versions before 23.2R2-S6,
  • 23.4 versions before 23.4R2-S7,
  • 24.2 versions before 24.2R2,
  • 24.4 versions before 24.4R2.

AnalysisAI

Firewall filter bypass in Juniper Networks Junos OS on MX Series allows unauthenticated network-based attackers to access the control plane by exploiting improper exception handling in the packet forwarding engine when firewall filters are applied to non-zero loopback interfaces in the default routing instance. Affected MX platforms with MPC10, MPC11, LC4800, LC9600 line cards and MX304 models running Junos OS versions before 23.2R2-S6, 23.4R2-S7, 24.2R2, or 24.4R2 fail to enforce configured lo0.n ingress filters, allowing bypass of access controls designed to protect critical infrastructure management interfaces. No public exploit identified at time of analysis, but the vulnerability requires only network access and no authentication to trigger.

Technical ContextAI

The vulnerability exists in Juniper's packet forwarding engine (pfe) on MX Series routers, which handles L3 packet processing and firewall filter enforcement. The root cause is an improper exception condition check (CWE-754) in the filter execution logic for loopback interfaces operating in the default routing instance. Loopback interfaces (lo0) serve as management and routing protocol endpoints on enterprise routers; when a non-zero subinterface (lo0.n) is configured with an ingress firewall filter but is not explicitly bound to a non-default routing-instance, the pfe fails to execute the filter rules during packet processing. This is specific to line card architectures MPC10, MPC11, LC4800, and LC9600, plus the MX304 platform. The affected CPE would be cpe:2.3:o:juniper:junos:*:*:*:*:*:mx:* with constraints on line card type and loopback interface configuration in default VRF.

RemediationAI

Organizations must upgrade to patched versions: Junos OS 23.2R2-S6 or later for 23.2.x, 23.4R2-S7 or later for 23.4.x, 24.2R2 or later for 24.2.x, or 24.4R2 or later for 24.4.x. As an interim workaround before patching, explicitly bind non-zero loopback interface units to a non-default routing-instance configuration, which will force the pfe to execute configured firewall filters. Alternatively, apply the firewall filter to lo0.0 (the default loopback unit) or to egress filters instead of ingress filters on the affected lo0.n subinterfaces. Verify filter enforcement using the CLI command 'show firewall counter filter <filter-name>' after reconfiguration to confirm that packet matches are being logged. Complete patching should be prioritized as workarounds do not address the underlying engine defect. Consult https://kb.juniper.net/JSA107865 for detailed upgrade procedures and configuration examples.

More in Junos

View all
CVE-2016-1285 MEDIUM
6.8 Mar 09

named in ISC BIND 9.x before 9.9.8-P4 and 9.10.x before 9.10.3-P4 does not properly handle DNAME records when parsing fe

CVE-2016-1286 HIGH
8.6 Mar 09

named in ISC BIND 9.x before 9.9.8-P4 and 9.10.x before 9.10.3-P4 allows remote attackers to cause a denial of service (

CVE-2023-36845 CRITICAL POC
9.8 Aug 17

A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series and SRX Series all

CVE-2013-6618 CRITICAL POC
9.0 Nov 05

jsdm/ajax/port.php in J-Web in Juniper Junos before 10.4R13, 11.4 before 11.4R7, 12.1 before 12.1R5, 12.2 before 12.2R3,

CVE-2014-6380 HIGH POC
7.8 Oct 14

Juniper Junos 11.4 before R11, 12.1 before R9, 12.1X44 before D30, 12.1X45 before D20, 12.1X46 before D15, 12.1X47 befor

CVE-2021-0253 HIGH POC
7.8 Apr 22

NFX Series devices using Juniper Networks Junos OS are susceptible to a local command execution vulnerability thereby al

CVE-2021-0252 HIGH POC
7.8 Apr 22

NFX Series devices using Juniper Networks Junos OS are susceptible to a local code execution vulnerability thereby allow

CVE-2019-0053 HIGH POC
7.8 Jul 11

Insufficient validation of environment variables in the telnet client supplied in Junos OS can lead to stack-based buffe

CVE-2023-22415 HIGH POC
7.5 Jan 13

An Out-of-Bounds Write vulnerability in the H.323 ALG of Juniper Networks Junos OS allows an unauthenticated, network-ba

CVE-2022-22223 HIGH POC
7.5 Oct 18

On QFX10000 Series devices using Juniper Networks Junos OS when configured as transit IP/MPLS penultimate hop popping (P

CVE-2022-22209 HIGH POC
7.5 Jul 20

A Missing Release of Memory after Effective Lifetime vulnerability in the kernel of Juniper Networks Junos OS allows an

CVE-2022-22188 HIGH POC
7.5 Apr 14

An Uncontrolled Memory Allocation vulnerability leading to a Heap-based Buffer Overflow in the packet forwarding engine

Share

EUVD-2026-21195 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy