Skip to main content

Junos Os

14 CVEs product

Monthly

CVE-2026-57054 MEDIUM PATCH This Month

Web filtering bypass on Juniper Networks Junos OS MX Series exposes downstream resources to unauthenticated network attackers by allowing a specially formatted URL to evade the URL filtering plugin. The flaw stems from incorrect name or reference resolution (CWE-706), causing the router to forward traffic that security policy mandates be dropped. No public exploit has been identified at time of analysis, but the CVSS 4.0 score of 6.9 carries an Automatable:Yes modifier, indicating the bypass is scriptable at scale against any qualifying deployment.

Authentication Bypass Juniper Junos Os
NVD VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-57032 HIGH PATCH This Week

Denial-of-service in Juniper Networks Junos OS on EX Series switches (EX2300, EX3400, EX4000, EX4100, EX4400) lets a low-privileged authenticated attacker crash the Flexible PIC Concentrator (FPC) by subscribing over gRPC to an unsupported telemetry sensor path in the packet forwarding engine. Each crash produces a complete forwarding outage until the module auto-restarts, and the trigger can be repeated for sustained disruption. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the low complexity and single low-privilege prerequisite make it operationally easy to trigger.

Juniper Denial Of Service Junos Os
NVD VulDB
CVSS 4.0
7.1
EPSS
0.4%
CVE-2026-57031 MEDIUM PATCH This Month

Ingress firewall filter bypass in Juniper Networks Junos OS on MX Series hardware (MPC10/11, LC4800/9600/4802, MX304) allows adjacent subscribers on static interfaces to evade configured protocol-level access controls and upstream bandwidth limitations. The Packet Forwarding Engine (PFE) fails to enforce ingress filters for these subscriber configurations, meaning neither protocol restrictions nor rate-limiting policies take effect. No public exploit code has been identified and the vulnerability is absent from CISA KEV, though the CVSS 4.0 AU:Y (Automatable) supplemental metric indicates exploitation could be scripted at scale against affected broadband aggregation deployments.

Authentication Bypass Juniper Junos Os
NVD
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-57030 HIGH PATCH This Week

Denial-of-service in Juniper Networks Junos OS on SRX Series devices lets an unauthenticated, network-based attacker exhaust the packet forwarding engine (PFE) by exploiting a race condition in stateful flow teardown. When the race is hit, a flow's timeout is mis-set to a very high value (>10,000s instead of 3s), so sessions are never reaped, invalidated sessions accumulate without bound, and the device eventually stops forwarding or hits a flowd core and reboots. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; exploitation is probabilistic because the triggering conditions are outside the attacker's control.

Juniper Race Condition Information Disclosure Junos Os
NVD VulDB
CVSS 4.0
8.2
EPSS
0.4%
CVE-2026-57027 HIGH PATCH This Week

Denial-of-service in Juniper Junos OS on EX4100 and EX4400 Series switches allows an unauthenticated adjacent attacker to exhaust packet-forwarding-engine memory and crash the Flexible PIC Concentrator (FPC). The flaw triggers only when sFlow monitoring is enabled in a Virtual Chassis and multicast traffic ingresses on one VC member and egresses on another, causing a slow buffer leak that culminates in an FPC crash and restart. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the low attack complexity and lack of authentication make it a credible availability risk for affected deployments.

Juniper Denial Of Service Junos Os
NVD VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-57026 HIGH PATCH This Week

Denial-of-service in Juniper Networks Junos OS on MX Series (with SPC3) and SRX Series devices allows an unauthenticated, network-based attacker to crash the flow processing daemon (flowd) by sending a malformed SIP INVITE packet when the SIP Application Layer Gateway (ALG) is enabled. The crash forces a flowd restart, producing a complete traffic-forwarding outage until the device auto-recovers, and can be repeated to sustain the outage. No public exploit identified at time of analysis; not listed in CISA KEV, and no EPSS score was provided.

Juniper Denial Of Service Junos Os
NVD
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-57025 MEDIUM PATCH This Month

Denial-of-service in Juniper Networks Junos OS and Junos OS Evolved on EX Series, QFX Series, and MX Series allows a local, low-privileged attacker to crash the l2ald (Layer 2 Address Learning Daemon) by issuing a specific 'show l2-learning' CLI command, disrupting all Layer 2 services until the process automatically restarts. The root cause is a Return of Pointer Value Outside of Expected Range flaw (CWE-466) in the fileio library. No public exploit has been identified at time of analysis, and active exploitation has not been confirmed by CISA or the vendor.

Juniper Denial Of Service Junos Os Junos Os Evolved
NVD VulDB
CVSS 4.0
6.8
EPSS
0.1%
CVE-2026-57024 MEDIUM PATCH This Month

Repeated IKE negotiation failures on Juniper Junos OS (MX with SPC3 and SRX Series) cause a peer index rollover that assigns duplicate index values to new peers, triggering continuous iked process crashes and a full VPN service outage requiring system reboot. Unauthenticated network-based attackers can deliberately flood the device with failing VPN negotiations to accelerate the rollover condition. No public exploit code or CISA KEV listing exists at time of analysis, but the network-reachable, zero-privilege attack vector makes this a meaningful risk for any organization relying on Juniper-based VPN infrastructure with iked enabled.

Juniper Denial Of Service Junos Os
NVD
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-57023 HIGH PATCH This Week

Remote denial of service in Juniper Networks Junos OS on MX Series (with SPC3) and SRX Series firewalls lets an unauthenticated network attacker crash the flow processing daemon (flowd) by sending a single TCP packet with a malformed TCP header when the TCP proxy is active. Because TCP proxy is engaged whenever ALGs, Advanced Anti-Malware, ICAP, or UTM services inspect a flow, exploitation forces a complete traffic-forwarding outage until the daemon auto-restarts. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the low attack complexity and lack of authentication make it a credible availability threat to perimeter devices.

Juniper Denial Of Service Junos Os
NVD
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-57022 HIGH PATCH This Week

Denial-of-service in the Packet Forwarding Engine (PFE) of Juniper Junos OS on MX (with SPC3) and SRX-series firewalls lets an unauthenticated, network-based attacker crash and restart the PFE, dropping all traffic-forwarding services until automatic recovery. Exploitation is indirect: the attacker must lure or wait for the affected device to initiate an outbound TCP connection to an attacker-controlled system, which then replies with a crafted packet that trips an unhandled exceptional condition (CWE-754). Juniper-reported with CVSS 4.0 8.2; no public exploit identified at time of analysis and it is not in CISA KEV.

Juniper Denial Of Service Junos Os
NVD
CVSS 4.0
8.2
EPSS
0.4%
CVE-2026-57021 MEDIUM PATCH This Month

Out-of-bounds write in the Juniper Networks Junos OS http-gatekeeper (http-gk) process on SRX Series firewalls crashes the process when handling crafted network requests, taking down all web-management-dependent services including J-Web, remote-access VPN, and firewall authentication until automatic process recovery. Exploitation is gated on a specific non-default configuration - remote-access VPN with pre-logon compliance check enabled - limiting the exposed population to SRX deployments that actively use this feature. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the official CVSS 5.3 score reflects the limited, reversible availability-only impact.

Memory Corruption Juniper Buffer Overflow Junos Os
NVD VulDB
CVSS 4.0
6.9
EPSS
0.5%
CVE-2026-57020 HIGH PATCH This Week

Denial-of-service in Juniper Networks Junos OS on QFX10000 Series switches allows an unauthenticated, adjacent (Layer 2) attacker to saturate data-center links by injecting IPv6 multicast traffic in an EVPN-VxLAN fabric. When such packets reach a non-IRB interface of a spine switch, the packet-forwarding engine floods them to other spines and all ESI leaf switches, creating an endless forwarding loop that starves legitimate traffic. No public exploit identified at time of analysis and it is not listed in CISA KEV; the vendor-assigned CVSS 4.0 base score is 7.1.

Juniper Information Disclosure Junos Os
NVD VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-57019 HIGH PATCH This Week

Denial-of-service in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on MX Series routers lets an unauthenticated, Layer-2 adjacent attacker crash a line card by sending a single crafted packet within the same broadcast domain. The affected system miscalculates the packet size (CWE-1284, improper validation of specified quantity in input), which fails downstream processing and raises an MQSS major CMError that forces an automatic FPC reset, interrupting all traffic on that FPC until it recovers. Only deployments handling MAP-T or non-IP-over-IP traffic (e.g. MPLS over GRE) are exposed; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Juniper Buffer Overflow Junos Os
NVD VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-33802 MEDIUM PATCH This Month

Junos OS on Juniper EX Series access switches exposes a missing authorization flaw in the CLI that allows any locally authenticated user, regardless of privilege class or assigned permissions, to execute a specific privileged 'request' command and cause complete traffic disruption on the affected switch. Affected platforms span EX2300, EX4000, EX4100, EX4300-MP, and EX4400 across six active Junos OS release trains from 23.2 through 25.4. No public exploit has been identified at time of analysis and the system recovers automatically, but the low barrier to exploitation - any authenticated local user qualifies - makes this a meaningful insider threat in shared-access or multi-tenant switch environments.

Authentication Bypass Juniper Junos Os
NVD
CVSS 4.0
6.8
EPSS
0.1%
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Web filtering bypass on Juniper Networks Junos OS MX Series exposes downstream resources to unauthenticated network attackers by allowing a specially formatted URL to evade the URL filtering plugin. The flaw stems from incorrect name or reference resolution (CWE-706), causing the router to forward traffic that security policy mandates be dropped. No public exploit has been identified at time of analysis, but the CVSS 4.0 score of 6.9 carries an Automatable:Yes modifier, indicating the bypass is scriptable at scale against any qualifying deployment.

Authentication Bypass Juniper Junos Os
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Denial-of-service in Juniper Networks Junos OS on EX Series switches (EX2300, EX3400, EX4000, EX4100, EX4400) lets a low-privileged authenticated attacker crash the Flexible PIC Concentrator (FPC) by subscribing over gRPC to an unsupported telemetry sensor path in the packet forwarding engine. Each crash produces a complete forwarding outage until the module auto-restarts, and the trigger can be repeated for sustained disruption. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the low complexity and single low-privilege prerequisite make it operationally easy to trigger.

Juniper Denial Of Service Junos Os
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Ingress firewall filter bypass in Juniper Networks Junos OS on MX Series hardware (MPC10/11, LC4800/9600/4802, MX304) allows adjacent subscribers on static interfaces to evade configured protocol-level access controls and upstream bandwidth limitations. The Packet Forwarding Engine (PFE) fails to enforce ingress filters for these subscriber configurations, meaning neither protocol restrictions nor rate-limiting policies take effect. No public exploit code has been identified and the vulnerability is absent from CISA KEV, though the CVSS 4.0 AU:Y (Automatable) supplemental metric indicates exploitation could be scripted at scale against affected broadband aggregation deployments.

Authentication Bypass Juniper Junos Os
NVD
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Denial-of-service in Juniper Networks Junos OS on SRX Series devices lets an unauthenticated, network-based attacker exhaust the packet forwarding engine (PFE) by exploiting a race condition in stateful flow teardown. When the race is hit, a flow's timeout is mis-set to a very high value (>10,000s instead of 3s), so sessions are never reaped, invalidated sessions accumulate without bound, and the device eventually stops forwarding or hits a flowd core and reboots. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; exploitation is probabilistic because the triggering conditions are outside the attacker's control.

Juniper Race Condition Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Denial-of-service in Juniper Junos OS on EX4100 and EX4400 Series switches allows an unauthenticated adjacent attacker to exhaust packet-forwarding-engine memory and crash the Flexible PIC Concentrator (FPC). The flaw triggers only when sFlow monitoring is enabled in a Virtual Chassis and multicast traffic ingresses on one VC member and egresses on another, causing a slow buffer leak that culminates in an FPC crash and restart. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the low attack complexity and lack of authentication make it a credible availability risk for affected deployments.

Juniper Denial Of Service Junos Os
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial-of-service in Juniper Networks Junos OS on MX Series (with SPC3) and SRX Series devices allows an unauthenticated, network-based attacker to crash the flow processing daemon (flowd) by sending a malformed SIP INVITE packet when the SIP Application Layer Gateway (ALG) is enabled. The crash forces a flowd restart, producing a complete traffic-forwarding outage until the device auto-recovers, and can be repeated to sustain the outage. No public exploit identified at time of analysis; not listed in CISA KEV, and no EPSS score was provided.

Juniper Denial Of Service Junos Os
NVD
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Denial-of-service in Juniper Networks Junos OS and Junos OS Evolved on EX Series, QFX Series, and MX Series allows a local, low-privileged attacker to crash the l2ald (Layer 2 Address Learning Daemon) by issuing a specific 'show l2-learning' CLI command, disrupting all Layer 2 services until the process automatically restarts. The root cause is a Return of Pointer Value Outside of Expected Range flaw (CWE-466) in the fileio library. No public exploit has been identified at time of analysis, and active exploitation has not been confirmed by CISA or the vendor.

Juniper Denial Of Service Junos Os +1
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Repeated IKE negotiation failures on Juniper Junos OS (MX with SPC3 and SRX Series) cause a peer index rollover that assigns duplicate index values to new peers, triggering continuous iked process crashes and a full VPN service outage requiring system reboot. Unauthenticated network-based attackers can deliberately flood the device with failing VPN negotiations to accelerate the rollover condition. No public exploit code or CISA KEV listing exists at time of analysis, but the network-reachable, zero-privilege attack vector makes this a meaningful risk for any organization relying on Juniper-based VPN infrastructure with iked enabled.

Juniper Denial Of Service Junos Os
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Remote denial of service in Juniper Networks Junos OS on MX Series (with SPC3) and SRX Series firewalls lets an unauthenticated network attacker crash the flow processing daemon (flowd) by sending a single TCP packet with a malformed TCP header when the TCP proxy is active. Because TCP proxy is engaged whenever ALGs, Advanced Anti-Malware, ICAP, or UTM services inspect a flow, exploitation forces a complete traffic-forwarding outage until the daemon auto-restarts. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the low attack complexity and lack of authentication make it a credible availability threat to perimeter devices.

Juniper Denial Of Service Junos Os
NVD
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Denial-of-service in the Packet Forwarding Engine (PFE) of Juniper Junos OS on MX (with SPC3) and SRX-series firewalls lets an unauthenticated, network-based attacker crash and restart the PFE, dropping all traffic-forwarding services until automatic recovery. Exploitation is indirect: the attacker must lure or wait for the affected device to initiate an outbound TCP connection to an attacker-controlled system, which then replies with a crafted packet that trips an unhandled exceptional condition (CWE-754). Juniper-reported with CVSS 4.0 8.2; no public exploit identified at time of analysis and it is not in CISA KEV.

Juniper Denial Of Service Junos Os
NVD
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Out-of-bounds write in the Juniper Networks Junos OS http-gatekeeper (http-gk) process on SRX Series firewalls crashes the process when handling crafted network requests, taking down all web-management-dependent services including J-Web, remote-access VPN, and firewall authentication until automatic process recovery. Exploitation is gated on a specific non-default configuration - remote-access VPN with pre-logon compliance check enabled - limiting the exposed population to SRX deployments that actively use this feature. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the official CVSS 5.3 score reflects the limited, reversible availability-only impact.

Memory Corruption Juniper Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Denial-of-service in Juniper Networks Junos OS on QFX10000 Series switches allows an unauthenticated, adjacent (Layer 2) attacker to saturate data-center links by injecting IPv6 multicast traffic in an EVPN-VxLAN fabric. When such packets reach a non-IRB interface of a spine switch, the packet-forwarding engine floods them to other spines and all ESI leaf switches, creating an endless forwarding loop that starves legitimate traffic. No public exploit identified at time of analysis and it is not listed in CISA KEV; the vendor-assigned CVSS 4.0 base score is 7.1.

Juniper Information Disclosure Junos Os
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Denial-of-service in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on MX Series routers lets an unauthenticated, Layer-2 adjacent attacker crash a line card by sending a single crafted packet within the same broadcast domain. The affected system miscalculates the packet size (CWE-1284, improper validation of specified quantity in input), which fails downstream processing and raises an MQSS major CMError that forces an automatic FPC reset, interrupting all traffic on that FPC until it recovers. Only deployments handling MAP-T or non-IP-over-IP traffic (e.g. MPLS over GRE) are exposed; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Juniper Buffer Overflow Junos Os
NVD VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Junos OS on Juniper EX Series access switches exposes a missing authorization flaw in the CLI that allows any locally authenticated user, regardless of privilege class or assigned permissions, to execute a specific privileged 'request' command and cause complete traffic disruption on the affected switch. Affected platforms span EX2300, EX4000, EX4100, EX4300-MP, and EX4400 across six active Junos OS release trains from 23.2 through 25.4. No public exploit has been identified at time of analysis and the system recovers automatically, but the low barrier to exploitation - any authenticated local user qualifies - makes this a meaningful insider threat in shared-access or multi-tenant switch environments.

Authentication Bypass Juniper Junos Os
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy