Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:M/U:X
Adjacent Layer-2 delivery (AV:A) with no auth or interaction and low complexity, causing availability-only impact via FPC reset (A:H, C/I:N); scope unchanged as impact stays within the router.
Primary rating from Vendor (juniper).
CVSS VectorVendor: juniper
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:M/U:X
Lifecycle Timeline
8DescriptionCVE.org
An Improper Validation of Specified Quantity in Input vulnerability in the Packet Forwarding Engine (pfe) of Juniper Networks Junos OS on MX Series allows an unauthenticated, adjacent attacker to cause a Denial-of-Service (DoS).
When a specific packet is received from device in the same broadcast domain, an affected system calculates the packet size incorrectly. This causes further packet processing to fail, which triggers an FPC major error, resulting in a FPC reset impacting traffic until the FPC has automatically recovered.
Affected scenarios are: MAP-T, or non-IP traffic encapsulated in IP (e.g. MPLS over GRE).
When this issue happens the following logs can be observed:
fpc<#> CMError: /fpc/0/pfe/0/cm/0/MQSS(0)/0/MQSS_CMERROR_LI_INT_REG_UNROLL_TAIL_LENGTH_OVF (0x2205eb), scope: pfe, category: functional, severity: major, module: MQSS(0), type: LI: Unroll TAIL length overflow, oc_category: default fpc<#> Performing action reset-fru for error /fpc/0/pfe/0/cm/0/MQSS(0)/0/MQSS_CMERROR_LI_INT_REG_UNROLL_TAIL_LENGTH_OVF (0x2205eb) in module: MQSS(0) with scope: pfe category: functional level: major, oc_category: default
This issue affects Junos OS on MX Series:
- all versions before 23.2R2-S6,
- 23.4 versions before 23.4R2-S7,
- 24.2 versions before 24.2R2-S4,
- 24.4 versions before 24.4R2-S4,
- 25.2 versions before 25.2R2.
Articles & Coverage 1
AnalysisAI
Denial-of-service in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on MX Series routers lets an unauthenticated, Layer-2 adjacent attacker crash a line card by sending a single crafted packet within the same broadcast domain. The affected system miscalculates the packet size (CWE-1284, improper validation of specified quantity in input), which fails downstream processing and raises an MQSS major CMError that forces an automatic FPC reset, interrupting all traffic on that FPC until it recovers. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires Layer-2 adjacency - the attacker must be in the same broadcast domain as the target MX router to deliver the crafted packet (AV:A), so it is not remotely routable across the internet. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 4.0 base score is 7.1 (High) with vector AV:A/AC:L/PR:N/UI:N and availability-only impact (VA:H, SA:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a foothold on a host or device in the same broadcast domain as an MX Series router (for example a compromised server on an access VLAN, or a rogue device on a peering segment) crafts a single packet in the affected MAP-T or MPLS-over-GRE format and sends it toward the router. The PFE miscomputes the packet size, raises an MQSS major error, and the FPC resets, dropping all traffic on that line card until it recovers; repeating the packet produces a sustained outage. … |
| Remediation | Vendor-released patch: upgrade Junos OS on MX Series to a fixed release - 23.2R2-S6, 23.4R2-S7, 24.2R2-S4, 24.4R2-S4, or 25.2R2 (or later) per Juniper advisory JSA110079 (https://supportportal.juniper.net/JSA110079). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory all MX Series deployments and identify systems handling MAP-T or non-IP-over-IP traffic (MPLS over GRE); document Layer-2 network access points. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Denial-of-service in Juniper Networks Junos OS on MX Series (with SPC3) and SRX Series devices allows an unauthenticated
Remote denial of service in Juniper Networks Junos OS on MX Series (with SPC3) and SRX Series firewalls lets an unauthen
Denial-of-service in the Packet Forwarding Engine (PFE) of Juniper Junos OS on MX (with SPC3) and SRX-series firewalls l
Denial-of-service in Juniper Networks Junos OS on SRX Series devices lets an unauthenticated, network-based attacker exh
Denial-of-service in Juniper Networks Junos OS on EX Series switches (EX2300, EX3400, EX4000, EX4100, EX4400) lets a low
Denial-of-service in Juniper Junos OS on EX4100 and EX4400 Series switches allows an unauthenticated adjacent attacker t
Denial-of-service in Juniper Networks Junos OS on QFX10000 Series switches allows an unauthenticated, adjacent (Layer 2)
Out-of-bounds write in the Juniper Networks Junos OS http-gatekeeper (http-gk) process on SRX Series firewalls crashes t
Repeated IKE negotiation failures on Juniper Junos OS (MX with SPC3 and SRX Series) cause a peer index rollover that ass
Web filtering bypass on Juniper Networks Junos OS MX Series exposes downstream resources to unauthenticated network atta
Denial-of-service in Juniper Networks Junos OS and Junos OS Evolved on EX Series, QFX Series, and MX Series allows a loc
Junos OS on Juniper EX Series access switches exposes a missing authorization flaw in the CLI that allows any locally au
Same technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42706
GHSA-qwhr-x4c6-c5hc