Skip to main content

Juniper Junos OS EUVDEUVD-2026-42706

| CVE-2026-57019 HIGH
Improper Validation of Specified Quantity in Input (CWE-1284)
2026-07-09 juniper GHSA-qwhr-x4c6-c5hc
7.1
CVSS 4.0 · Vendor: juniper
Share

Severity by source

Vendor (juniper) PRIMARY
7.1 MEDIUM
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:M/U:X
vuln.today AI
6.5 MEDIUM

Adjacent Layer-2 delivery (AV:A) with no auth or interaction and low complexity, causing availability-only impact via FPC reset (A:H, C/I:N); scope unchanged as impact stays within the router.

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (juniper).

CVSS VectorVendor: juniper

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:M/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
Patch available
Jul 09, 2026 - 23:02 EUVD
Analysis Updated
Jul 09, 2026 - 22:36 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 09, 2026 - 22:34 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 09, 2026 - 22:22 vuln.today
cvss_changed
Severity Changed
Jul 09, 2026 - 22:22 NVD
MEDIUM HIGH
CVSS changed
Jul 09, 2026 - 22:22 NVD
6.5 (MEDIUM) 7.1 (HIGH)
Analysis Generated
Jul 09, 2026 - 22:15 vuln.today
CVE Published
Jul 09, 2026 - 21:04 cve.org
MEDIUM 6.5

DescriptionCVE.org

An Improper Validation of Specified Quantity in Input vulnerability in the Packet Forwarding Engine (pfe) of Juniper Networks Junos OS on MX Series allows an unauthenticated, adjacent attacker to cause a Denial-of-Service (DoS).

When a specific packet is received from device in the same broadcast domain, an affected system calculates the packet size incorrectly. This causes further packet processing to fail, which triggers an FPC major error, resulting in a FPC reset impacting traffic until the FPC has automatically recovered.

Affected scenarios are: MAP-T, or non-IP traffic encapsulated in IP (e.g. MPLS over GRE).

When this issue happens the following logs can be observed:

fpc<#> CMError: /fpc/0/pfe/0/cm/0/MQSS(0)/0/MQSS_CMERROR_LI_INT_REG_UNROLL_TAIL_LENGTH_OVF (0x2205eb), scope: pfe, category: functional, severity: major, module: MQSS(0), type: LI: Unroll TAIL length overflow, oc_category: default fpc<#> Performing action reset-fru for error /fpc/0/pfe/0/cm/0/MQSS(0)/0/MQSS_CMERROR_LI_INT_REG_UNROLL_TAIL_LENGTH_OVF (0x2205eb) in module: MQSS(0) with scope: pfe category: functional level: major, oc_category: default

This issue affects Junos OS on MX Series:

  • all versions before 23.2R2-S6,
  • 23.4 versions before 23.4R2-S7,
  • 24.2 versions before 24.2R2-S4,
  • 24.4 versions before 24.4R2-S4,
  • 25.2 versions before 25.2R2.

AnalysisAI

Denial-of-service in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on MX Series routers lets an unauthenticated, Layer-2 adjacent attacker crash a line card by sending a single crafted packet within the same broadcast domain. The affected system miscalculates the packet size (CWE-1284, improper validation of specified quantity in input), which fails downstream processing and raises an MQSS major CMError that forces an automatic FPC reset, interrupting all traffic on that FPC until it recovers. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain Layer-2 adjacency to MX router
Delivery
Craft malformed MAP-T / MPLS-over-GRE packet
Exploit
PFE miscalculates packet size
Execution
MQSS TAIL length overflow major error
Impact
FPC reset drops all line-card traffic

Vulnerability AssessmentAI

Exploitation Exploitation requires Layer-2 adjacency - the attacker must be in the same broadcast domain as the target MX router to deliver the crafted packet (AV:A), so it is not remotely routable across the internet. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 base score is 7.1 (High) with vector AV:A/AC:L/PR:N/UI:N and availability-only impact (VA:H, SA:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a foothold on a host or device in the same broadcast domain as an MX Series router (for example a compromised server on an access VLAN, or a rogue device on a peering segment) crafts a single packet in the affected MAP-T or MPLS-over-GRE format and sends it toward the router. The PFE miscomputes the packet size, raises an MQSS major error, and the FPC resets, dropping all traffic on that line card until it recovers; repeating the packet produces a sustained outage. …
Remediation Vendor-released patch: upgrade Junos OS on MX Series to a fixed release - 23.2R2-S6, 23.4R2-S7, 24.2R2-S4, 24.4R2-S4, or 25.2R2 (or later) per Juniper advisory JSA110079 (https://supportportal.juniper.net/JSA110079). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all MX Series deployments and identify systems handling MAP-T or non-IP-over-IP traffic (MPLS over GRE); document Layer-2 network access points. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-57026 HIGH
8.7 Jul 09

Denial-of-service in Juniper Networks Junos OS on MX Series (with SPC3) and SRX Series devices allows an unauthenticated

CVE-2026-57023 HIGH
8.7 Jul 09

Remote denial of service in Juniper Networks Junos OS on MX Series (with SPC3) and SRX Series firewalls lets an unauthen

CVE-2026-57022 HIGH
8.2 Jul 09

Denial-of-service in the Packet Forwarding Engine (PFE) of Juniper Junos OS on MX (with SPC3) and SRX-series firewalls l

CVE-2026-57030 HIGH
8.2 Jul 09

Denial-of-service in Juniper Networks Junos OS on SRX Series devices lets an unauthenticated, network-based attacker exh

CVE-2026-57032 HIGH
7.1 Jul 09

Denial-of-service in Juniper Networks Junos OS on EX Series switches (EX2300, EX3400, EX4000, EX4100, EX4400) lets a low

CVE-2026-57027 HIGH
7.1 Jul 09

Denial-of-service in Juniper Junos OS on EX4100 and EX4400 Series switches allows an unauthenticated adjacent attacker t

CVE-2026-57020 HIGH
7.1 Jul 09

Denial-of-service in Juniper Networks Junos OS on QFX10000 Series switches allows an unauthenticated, adjacent (Layer 2)

CVE-2026-57021 MEDIUM
6.9 Jul 09

Out-of-bounds write in the Juniper Networks Junos OS http-gatekeeper (http-gk) process on SRX Series firewalls crashes t

CVE-2026-57024 MEDIUM
6.9 Jul 09

Repeated IKE negotiation failures on Juniper Junos OS (MX with SPC3 and SRX Series) cause a peer index rollover that ass

CVE-2026-57054 MEDIUM
6.9 Jul 09

Web filtering bypass on Juniper Networks Junos OS MX Series exposes downstream resources to unauthenticated network atta

CVE-2026-57025 MEDIUM
6.8 Jul 09

Denial-of-service in Juniper Networks Junos OS and Junos OS Evolved on EX Series, QFX Series, and MX Series allows a loc

CVE-2026-33802 MEDIUM
6.8 Jul 09

Junos OS on Juniper EX Series access switches exposes a missing authorization flaw in the CLI that allows any locally au

Share

EUVD-2026-42706 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy