Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-39516

CVE-2024-39516: Juniper Junos BGP DoS Vulnerability

CVE-2024-39516 is a denial of service flaw in Juniper Junos OS and Junos OS Evolved caused by malformed BGP packets that crash the routing daemon. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2024-39516 Overview

CVE-2024-39516 is an Out-of-Bounds Read vulnerability [CWE-125] in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved. An unauthenticated, network-based attacker can send a specifically malformed Border Gateway Protocol (BGP) packet to crash rpd, causing a Denial of Service (DoS). Continued processing of the malformed packet sustains the DoS condition. The vulnerability affects systems configured with either BGP traceoptions enabled or BGP traffic engineering, and impacts both iBGP and eBGP across any address family. The malformed attribute is non-transitive and will not propagate across a network.

Critical Impact

A single unauthenticated malformed BGP packet can repeatedly crash the rpd process, disrupting routing on affected Junos OS and Junos OS Evolved devices.

Affected Products

  • Juniper Junos OS: all versions before 21.4R3-S8; 22.2 before 22.2R3-S5; 22.3 before 22.3R3-S4; 22.4 before 22.4R3-S3; 23.2 before 23.2R2-S2; 23.4 before 23.4R2
  • Juniper Junos OS Evolved: all versions before 21.4R3-S8-EVO; 22.2-EVO before 22.2R3-S5-EVO; 22.3-EVO before 22.3R3-S4-EVO; 22.4-EVO before 22.4R3-S3-EVO
  • Juniper Junos OS Evolved: 23.2-EVO before 23.2R2-S2-EVO; 23.4-EVO before 23.4R2-EVO

Discovery Timeline

  • 2024-10-09 - CVE-2024-39516 published to the National Vulnerability Database (NVD)
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-39516

Vulnerability Analysis

The flaw resides in rpd, the routing protocol daemon responsible for handling BGP and other routing protocols on Junos devices. When rpd parses a specifically malformed BGP packet, it reads memory outside the bounds of an allocated buffer, triggering a process crash and automatic restart. Because BGP sessions can be re-established and the malformed packet can be re-sent, repeated processing of the attribute yields a sustained outage. The defective code path is only reachable when the device is configured with BGP traceoptions enabled or with BGP traffic engineering configured. The vulnerable attribute is non-transitive, so the malformed packet does not propagate beyond the directly peered router.

Root Cause

The root cause is an Out-of-Bounds Read [CWE-125] during the parsing of a BGP attribute. The parser fails to validate length or boundary conditions on the affected attribute before dereferencing memory, allowing crafted input to drive rpd past the end of the intended buffer. The condition manifests only along code paths exercised by traceoptions logging or BGP traffic engineering processing.

Attack Vector

Exploitation requires an attacker to deliver the malformed BGP packet to the rpd process on an affected device. Because the attribute is non-transitive, the attacker must be a direct BGP peer of the target (iBGP or eBGP) or otherwise be positioned to inject BGP messages into an existing session. No authentication or user interaction is required beyond the BGP peering relationship.

No public proof-of-concept exploit is available. The vulnerability is described in prose only; refer to the Juniper Security Advisory JSA88100 for vendor-provided technical context.

Detection Methods for CVE-2024-39516

Indicators of Compromise

  • Unexpected rpd crashes or core files on Junos OS or Junos OS Evolved devices, particularly correlated with inbound BGP UPDATE messages
  • Repeated BGP session flaps with the same peer immediately followed by rpd restart events in system logs
  • rpd restart messages such as RPD_TASK_REINIT or daemon-down syslog entries during normal BGP operation

Detection Strategies

  • Monitor Junos syslog and show system core-dumps output for rpd crashes that coincide with BGP peer activity
  • Inspect BGP UPDATE traffic on peering edges for malformed or unusual attributes, especially on routers running with traceoptions enabled
  • Correlate routing instability with peer source addresses to identify peers consistently triggering daemon restarts

Monitoring Recommendations

  • Forward Junos syslog and rpd trace files to a centralized SIEM or data lake for cross-device correlation of routing daemon failures
  • Alert on consecutive rpd restarts within a short interval to detect a sustained DoS condition
  • Track BGP session uptime and flap counters per peer to surface peers exploiting or inadvertently triggering the bug

How to Mitigate CVE-2024-39516

Immediate Actions Required

  • Upgrade Junos OS and Junos OS Evolved to a fixed release listed in Juniper Security Advisory JSA88100
  • If immediate patching is not possible, disable BGP traceoptions and review whether BGP traffic engineering is strictly required
  • Restrict BGP peering to authenticated, trusted neighbors and apply infrastructure ACLs to limit who can establish BGP sessions with the device

Patch Information

Juniper has released fixed software in Junos OS 21.4R3-S8, 22.2R3-S5, 22.3R3-S4, 22.4R3-S3, 23.2R2-S2, 23.4R2, and the corresponding Junos OS Evolved releases (-EVO). Consult Juniper Security Advisory JSA88100 for the authoritative list of fixed versions and upgrade guidance.

Workarounds

  • Disable BGP traceoptions on affected devices to remove one of the two preconditions for reaching the vulnerable code path. See the Juniper CLI Reference for BGP traceoptions.
  • Remove BGP traffic engineering configuration where it is not operationally required
  • Apply BGP peer authentication and prefix/attribute filtering at the network edge to reduce exposure from untrusted peers
bash
# Example: disable BGP traceoptions in Junos configuration mode
configure
delete protocols bgp traceoptions
commit and-quit

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne