Skip to main content

Junos OS EUVDEUVD-2026-42719

| CVE-2026-57030 HIGH
Race Condition (CWE-362)
2026-07-09 juniper GHSA-6hx5-3rjf-rm36
8.2
CVSS 4.0 · Vendor: juniper
Share

Severity by source

Vendor (juniper) PRIMARY
8.2 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:X
vuln.today AI
5.9 MEDIUM

Network-reachable and unauthenticated (AV:N/PR:N/UI:N) but the race is non-deterministic and outside attacker control, so AC:H; impact is availability-only (A:H, C/I:N) on the device itself (S:U).

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L

Primary rating from Vendor (juniper).

CVSS VectorVendor: juniper

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Jul 09, 2026 - 23:02 EUVD
Analysis Generated
Jul 09, 2026 - 22:24 vuln.today
Severity Changed
Jul 09, 2026 - 22:22 NVD
MEDIUM HIGH
CVSS changed
Jul 09, 2026 - 22:22 NVD
5.9 (MEDIUM) 8.2 (HIGH)

DescriptionCVE.org

A Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in the packet forwarding engine (PFE) of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).

As part of the stateful traffic processing on SRX Series devices flows are being established, and removed when not needed anymore. During the removal process the timeout of a flow should be set to 3 seconds and consequentially the flow should be removed shortly after. Due to a race condition occurring when setting the timeout there is a chance (the exact conditions are outside the attackers control) that the timeout is instead set to a very high value of larger than 10,000 seconds:

user@host> show security flow session | match timeout Session ID: 98784248524, Policy name: PROD-FLOW/4, HA State: Active, Timeout: 85250, Session State: Valid

This will lead to an accumulation of flows which can be observed by an ever-increasing value of invalidated sessions in the output of 'show security flow session summary':

user@host> show security flow session summary | match invalid Invalidated sessions: 216931These sessions can't be cleared manually with the 'clear security flow session' command, which will either lead to forwarding to stop (and the system needs to be manually recovered with a reboot) or to a flowd core and automatic reboot.

This issue affects Junos OS on SRX Series:

  • 24.2 versions before 24.2R2-S3,
  • 24.4 versions before 24.4R2-S1, 24.4R2-S2,
  • 25.2 versions before 25.2R1-S2, 25.2R2.

This issue does not affect releases earlier than 24.2R1;

AnalysisAI

Denial-of-service in Juniper Networks Junos OS on SRX Series devices lets an unauthenticated, network-based attacker exhaust the packet forwarding engine (PFE) by exploiting a race condition in stateful flow teardown. When the race is hit, a flow's timeout is mis-set to a very high value (>10,000s instead of 3s), so sessions are never reaped, invalidated sessions accumulate without bound, and the device eventually stops forwarding or hits a flowd core and reboots. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach exposed SRX flow path
Delivery
Send high-churn network traffic
Exploit
Race hits during flow teardown
Execution
Flow timeout mis-set >10000s
Persist
Invalidated sessions accumulate unbounded
Impact
Forwarding stops or flowd cores/reboots

Vulnerability AssessmentAI

Exploitation Exploitation targets the stateful flow session teardown path on SRX Series devices, so the device must be actively performing stateful traffic processing (the normal SRX firewall mode) and be reachable by attacker-influenced network traffic - no authentication and no user interaction are required (PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base of 8.2 (AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L) reflects a network-reachable, unauthenticated availability-only impact - no confidentiality or integrity effect - with an explicit Attack Requirement (AT:P) capturing that the race is non-deterministic and its conditions are outside attacker control. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the network path sends sustained, high-churn traffic (many short-lived connections that rapidly establish and tear down flows) through an exposed SRX device to maximize the probability of triggering the flow-teardown race. Over time some flows get the erroneous multi-thousand-second timeout and are never reaped, so invalidated sessions accumulate until the PFE stops forwarding or flowd cores and the box reboots. …
Remediation Vendor-released patch: upgrade Junos OS on SRX to a fixed release - 24.2R2-S3, 24.4R2-S1 or 24.4R2-S2, or 25.2R1-S2 or 25.2R2 (or later on each train), per Juniper advisory JSA110090 (https://supportportal.juniper.net/JSA110090). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Juniper SRX Series devices in production and document their criticality to network architecture. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-57026 HIGH
8.7 Jul 09

Denial-of-service in Juniper Networks Junos OS on MX Series (with SPC3) and SRX Series devices allows an unauthenticated

CVE-2026-57023 HIGH
8.7 Jul 09

Remote denial of service in Juniper Networks Junos OS on MX Series (with SPC3) and SRX Series firewalls lets an unauthen

CVE-2026-57022 HIGH
8.2 Jul 09

Denial-of-service in the Packet Forwarding Engine (PFE) of Juniper Junos OS on MX (with SPC3) and SRX-series firewalls l

CVE-2026-57032 HIGH
7.1 Jul 09

Denial-of-service in Juniper Networks Junos OS on EX Series switches (EX2300, EX3400, EX4000, EX4100, EX4400) lets a low

CVE-2026-57027 HIGH
7.1 Jul 09

Denial-of-service in Juniper Junos OS on EX4100 and EX4400 Series switches allows an unauthenticated adjacent attacker t

CVE-2026-57020 HIGH
7.1 Jul 09

Denial-of-service in Juniper Networks Junos OS on QFX10000 Series switches allows an unauthenticated, adjacent (Layer 2)

CVE-2026-57019 HIGH
7.1 Jul 09

Denial-of-service in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on MX Series routers lets an unauth

CVE-2026-57021 MEDIUM
6.9 Jul 09

Out-of-bounds write in the Juniper Networks Junos OS http-gatekeeper (http-gk) process on SRX Series firewalls crashes t

CVE-2026-57024 MEDIUM
6.9 Jul 09

Repeated IKE negotiation failures on Juniper Junos OS (MX with SPC3 and SRX Series) cause a peer index rollover that ass

CVE-2026-57054 MEDIUM
6.9 Jul 09

Web filtering bypass on Juniper Networks Junos OS MX Series exposes downstream resources to unauthenticated network atta

CVE-2026-57025 MEDIUM
6.8 Jul 09

Denial-of-service in Juniper Networks Junos OS and Junos OS Evolved on EX Series, QFX Series, and MX Series allows a loc

CVE-2026-33802 MEDIUM
6.8 Jul 09

Junos OS on Juniper EX Series access switches exposes a missing authorization flaw in the CLI that allows any locally au

Share

EUVD-2026-42719 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy