Juniper: >> Junos Os Evolved Security Vulnerabilities
A Use After Free vulnerability in the chassis daemon (chassisd) of Juniper Networks Junos OS and Junos OS Evolved allows a network-based attacker authenticated with low privileges to cause a Denial-of-Service (DoS).
When telemetry collectors are frequently subscribing and unsubscribing to sensors continuously over a long period of time, telemetry-capable processes like chassisd, rpd or mib2d will crash and restart, which - depending on the process - can cause a complete outage until the system has recovered.
This issue affects:
Junos OS:
* all versions before 22.4R3-S8,
* 23.2 versions before 23.2R2-S5,
* 23.4 versions before 23.4R2;
Junos OS Evolved:
* all versions before 22.4R3-S8-EVO,
* 23.2 versions before 23.2R2-S5-EVO,
* 23.4 versions before 23.4R2-EVO.
CVSS Score
6.5
EPSS Score
0.0
Published
2026-01-15
An Incorrect Calculation vulnerability in the Layer 2 Control
Protocol
Daemon (l2cpd) of Juniper Networks Junos OS Evolved allows an unauthenticated network-adjacent attacker flapping the management interface to cause the learning of new MACs over label-switched interfaces (LSI) to stop while generating a flood of logs, resulting in high CPU usage.
When the issue is seen, the following log message will be generated:
op:1 flag:0x6 mac:xx:xx:xx:xx:xx:xx bd:2 ifl:13302 reason:0(REASON_NONE) i-op:6(INTRNL_OP_HW_FORCE_DELETE) status:10 lstatus:10 err:26(GETIFBD_VALIDATE_FAILED) err-reason 4(IFBD_VALIDATE_FAIL_EPOCH_MISMATCH) hw_wr:0x4 ctxsync:0 fwdsync:0 rtt-id:51 p_ifl:0 fwd_nh:0 svlbnh:0 event:- smask:0x100000000 dmask:0x0 mplsmask 0x1 act:0x5800 extf:0x0 pfe-id 0 hw-notif-ifl 13302 programmed-ifl 4294967295 pseudo-vtep underlay-ifl-idx 0 stack:GET_MAC, ALLOCATE_MAC, GET_IFL, GET_IFF, GET_IFBD, STOP,
This issue affects Junos OS Evolved:
* all versions before 21.4R3-S7-EVO,
* from 22.2 before 22.2R3-S4-EVO,
* from 22.3 before 22.3R3-S3-EVO,
* from 22.4 before 22.4R3-S2-EVO,
* from 23.2 before 23.2R2-S1-EVO,
* from 23.4 before 23.4R1-S2-EVO, 23.4R2-EVO.
CVSS Score
6.5
EPSS Score
0.0
Published
2026-01-15
A Use After Free vulnerability was identified in the 802.1X authentication daemon (dot1xd) of Juniper Networks Junos OS and Junos OS Evolved that could allow an authenticated, network-adjacent attacker flapping a port to crash the dot1xd process, leading to a Denial of Service (DoS), or potentially execute arbitrary code within the context of the process running as root.
The issue is specific to the processing of a change in authorization (CoA) when a port bounce occurs. A pointer is freed but was then referenced later in the same code path. Successful exploitation is outside the attacker's direct control due to the specific timing of the two events required to execute the vulnerable code path.
This issue affects systems with 802.1X authentication port-based network access control (PNAC) enabled.
This issue affects:
Junos OS:
* from 23.2R2-S1 before 23.2R2-S5,
* from 23.4R2 before 23.4R2-S6,
* from 24.2 before 24.2R2-S3,
* from 24.4 before 24.4R2-S1,
* from 25.2 before 25.2R1-S2, 25.2R2;
Junos OS Evolved:
* from 23.2R2-S1 before 23.2R2-S5-EVO,
* from 23.4R2 before 23.4R2-S6-EVO,
* from 24.2 before 24.2R2-S3-EVO,
* from 24.4 before 24.4R2-S1-EVO,
* from 25.2 before 25.2R1-S2-EVO, 25.2R2-EVO.
CVSS Score
7.1
EPSS Score
0.0
Published
2026-01-15
A Missing Release of Memory after Effective Lifetime vulnerability in the routing protocol daemon (rpd) Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated attacker controlling an adjacent IS-IS neighbor to send a specific update packet causing a memory leak. Continued receipt and processing of these packets will exhaust all available memory, crashing rpd and creating a Denial of Service (DoS) condition.
Memory usage can be monitored through the use of the 'show task memory detail' command. For example:
user@junos> show task memory detail | match ted-infra
TED-INFRA-COOKIE 25 1072 28 1184 229
user@junos>
show task memory detail | match ted-infra
TED-INFRA-COOKIE 31 1360 34 1472 307
This issue affects:
Junos OS:
* from 23.2 before 23.2R2,
* from 23.4 before 23.4R1-S2, 23.4R2,
* from 24.1 before 24.1R2;
Junos OS Evolved:
* from 23.2 before 23.2R2-EVO,
* from 23.4 before 23.4R1-S2-EVO, 23.4R2-EVO,
* from 24.1 before 24.1R2-EVO.
This issue does not affect Junos OS versions before 23.2R1 or Junos OS Evolved versions before 23.2R1-EVO.
CVSS Score
6.5
EPSS Score
0.0
Published
2026-01-15
An Untrusted Pointer Dereference vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows a local, authenticated attacker with low privileges to cause a Denial-of-Service (DoS).
When the command 'show route < ( receive-protocol | advertising-protocol ) bgp > detail' is executed, and at least one of the routes in the intended output has specific attributes, this will cause an rpd crash and restart.
'show route ... extensive' is not affected.
This issue affects:
Junos OS:
* all versions before 22.4R3-S8,
* 23.2 versions before 23.2R2-S5,
* 23.4 versions before 23.4R2-S5,
* 24.2 versions before 24.2R2-S2,
* 24.4 versions before 24.4R2;
Junos OS Evolved:
* all versions before 22.4R3-S8-EVO,
* 23.2 versions before 23.2R2-S5-EVO,
* 23.4 versions before 23.4R2-S6-EVO,
* 24.2 versions before 24.2R2-S2-EVO,
* 24.4 versions before 24.4R2-EVO.
CVSS Score
5.5
EPSS Score
0.0
Published
2026-01-15
An Improper Check for Unusual or Exceptional Conditions vulnerability in the Juniper DHCP service (jdhcpd) of Juniper Networks Junos OS and Junos OS Evolved allows a DHCP client in one subnet to exhaust the address pools of other subnets, leading to a Denial of Service (DoS) on the downstream DHCP server.
By default, the DHCP relay agent inserts its own Option 82 information when forwarding client requests, optionally replacing any Option 82 information provided by the client. When a specific DHCP DISCOVER is received in 'forward-only' mode with Option 82, the device should drop the message unless 'trust-option82' is configured. Instead, the DHCP relay forwards these packets to the DHCP server unmodified, which uses up addresses in the DHCP server's address pool, ultimately leading to address pool exhaustion.
This issue affects Junos OS:
* all versions before 21.2R3-S10,
* from 21.4 before 21.4R3-S12,
* all versions of 22.2,
* from 22.4 before 22.4R3-S8,
* from 23.2 before 23.2R2-S5,
* from 23.4 before 23.4R2-S6,
* from 24.2 before 24.2R2-S2,
* from 24.4 before 24.4R2,
* from 25.2 before 25.2R1-S1, 25.2R2.
Junos OS Evolved:
* all versions before 21.4R3-S12-EVO,
* all versions of 22.2-EVO,
* from 22.4 before 22.4R3-S8-EVO,
* from 23.2 before 23.2R2-S5-EVO,
* from 23.4 before 23.4R2-S6-EVO,
* from 24.2 before 24.2R2-S2-EVO,
* from 24.4 before 24.4R2-EVO,
* from 25.2 before 25.2R1-S1-EVO, 25.2R2-EVO.
CVSS Score
7.4
EPSS Score
0.0
Published
2026-01-15
An Incorrect Permission Assignment for Critical Resource vulnerability in the Juniper DHCP daemon (jdhcpd) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged user to write to the Unix socket used to manage the jdhcpd process, resulting in complete control over the resource.
This vulnerability allows any low-privileged user logged into the system to connect to the Unix socket and issue commands to manage the DHCP service, in essence, taking administrative control of the local DHCP server or DHCP relay.
This issue affects:
Junos OS:
* all versions before 21.2R3-S10,
* all versions of 22.2,
* from 21.4 before 21.4R3-S12,
* from 22.4 before 22.4R3-S8,
* from 23.2 before 23.2R2-S5,
* from 23.4 before 23.4R2-S6,
* from 24.2 before 24.2R2-S2,
* from 24.4 before 24.4R2,
* from 25.2 before 25.2R1-S1, 25.2R2;
Junos OS Evolved:
* all versions before 22.4R3-S8-EVO,
* from 23.2 before 23.2R2-S5-EVO,
* from 23.4 before 23.4R2-S6-EVO,
* from 24.2 before 24.2R2-S2-EVO,
* from 24.4 before 24.4R2-EVO,
* from 25.2 before 25.2R1-S1-EVO, 25.2R2-EVO.
CVSS Score
5.5
EPSS Score
0.0
Published
2026-01-15
A Buffer Over-read vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).
When an affected device receives a BGP update with a set of specific optional transitive attributes over an established peering session, rpd will crash and restart when attempting to advertise the received information to another peer.
This issue can only happen if one or both of the BGP peers of the receiving session are non-4-byte-AS capable as determined from the advertised capabilities during BGP session establishment. Junos OS and Junos OS Evolved default behavior is 4-byte-AS capable unless this has been specifically disabled by configuring:
[ protocols bgp ... disable-4byte-as ]
Established BGP sessions can be checked by executing:
show bgp neighbor <IP address> | match "4 byte AS"
This issue affects:
Junos OS:
* all versions before 22.4R3-S8,
* 23.2 versions before 23.2R2-S5,
* 23.4 versions before 23.4R2-S6,
* 24.2 versions before 24.2R2-S2,
* 24.4 versions before 24.4R2;
Junos OS Evolved:
* all versions before 22.4R3-S8-EVO,
* 23.2 versions before 23.2R2-S5-EVO,
* 23.4 versions before 23.4R2-S6-EVO,
* 24.2 versions before 24.2R2-S2-EVO,
* 24.4 versions before 24.4R2-EVO.
CVSS Score
7.5
EPSS Score
0.0
Published
2026-01-15
An Improper Check for Unusual or Exceptional Conditions vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause an availability impact for downstream devices.
When an affected device receives a specific optional, transitive BGP attribute over an existing BGP session, it will be erroneously modified before propagation to peers. When the attribute is detected as malformed by the peers, these peers will most likely terminate the BGP sessions with the affected devices and thereby cause an availability impact due to the resulting routing churn.
This issue affects:
Junos OS:
* all versions before 22.4R3-S8,
* 23.2 versions before 23.2R2-S5
* 23.4 versions before 23.4R2-S6,
* 24.2 versions before 24.2R2-S2,
* 24.4 versions before 24.4R2;
Junos OS Evolved:
* all versions before 22.4R3-S8-EVO,
* 23.2 versions before 23.2R2-S5-EVO,
* 23.4 versions before 23.4R2-S6-EVO,
* 24.2 versions before 24.2R2-S2-EVO,
* 24.4 versions before 24.4R2-EVO.
CVSS Score
5.8
EPSS Score
0.0
Published
2026-01-15
A password aging vulnerability in the RADIUS client of Juniper Networks Junos OS and Junos OS Evolved allows an authenticated, network-based attacker to access the device without enforcing the required password change.
Affected devices allow logins by users for whom the RADIUS server has responded with a reject and required the user to change the password as their password was expired. Therefore the policy mandating the password change is not enforced.
This does not allow users to login with a wrong password, but only with the correct but expired one.
This issue affects:
Junos OS:
* all versions before 22.4R3-S8,
* 23.2 versions before 23.2R2-S4,
* 23.4 versions before 23.4R2-S5,
* 24.2 versions before 24.2R2-S1,
* 24.4 versions before 24.4R1-S3, 24.4R2;
Junos OS Evolved:
* all versions before 22.4R3-S8-EVO,
* 23.2 versions before 23.2R2-S4-EVO,
* 23.4 versions before 23.4R2-S5-EVO,
* 24.2 versions before 24.2R2-S1-EVO,
* 24.4 versions before 24.4R1-S3-EVO, 24.4R2-EVO.
CVSS Score
5.4
EPSS Score
0.0
Published
2025-10-09
Page 1