CVE-2024-39518 Overview
CVE-2024-39518 is a heap-based buffer overflow in the telemetry sensor process (sensord) of Juniper Networks Junos OS. The flaw affects MX240, MX480, and MX960 platforms equipped with the MPC10E line card. When the device is subscribed to a specific Junos Telemetry Interface (JTI) subscription, sensord leaks heap memory steadily until all resources are exhausted. The line card becomes unresponsive and requires a manual reboot to restore service. The issue is tracked under [CWE-122] heap-based buffer overflow and [CWE-787] out-of-bounds write.
Critical Impact
A remote, unauthenticated attacker-controlled or operator-configured telemetry subscription drives sensord memory growth, eventually forcing a line card reboot and full Denial of Service on MX-series routers.
Affected Products
- Juniper Junos OS on MX240, MX480, MX960 with MPC10E line cards
- Junos OS releases from 21.2R3-S5 before 21.2R3-S7, and from 21.4R3-S4 before 21.4R3-S6
- Junos OS releases from 22.2R3 before 22.2R3-S4, 22.3R2 before 22.3R3-S2, 22.4R1 before 22.4R3, and 23.2R1 before 23.2R2
Discovery Timeline
- 2024-07-10 - CVE-2024-39518 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-39518
Vulnerability Analysis
The vulnerability resides in sensord, the user-space daemon on the MPC10E line card responsible for streaming telemetry data through the Junos Telemetry Interface. When a client subscribes to a specific sensor path, sensord allocates heap buffers to format and serialize telemetry payloads. A boundary error during this serialization writes outside the allocated buffer, which manifests as a slow memory leak rather than an immediate crash. Over time, the sensord process consumes all available heap memory on the line card.
Operators can observe the growth using show system processes extensive and show system info | match sensord, where the MEMORY and PEAK MEMORY columns rise without bound. Once memory is exhausted, telemetry collection stalls and the line card stops processing traffic correctly, producing a Denial of Service. Recovery requires a manual reboot of the MPC10E line card.
Root Cause
The root cause is improper bounds checking when sensord writes telemetry data into heap-allocated buffers. The out-of-bounds write corrupts heap metadata in a way that prevents subsequent frees from reclaiming memory. This produces the characteristic monotonic memory growth observed by operators rather than an immediate segmentation fault.
Attack Vector
The condition only triggers when an active telemetry subscription exists on the device for the affected sensor. A network-reachable telemetry collector that establishes the affected subscription will progressively starve sensord of memory. No authentication on the dataplane is required to deliver the trigger once the subscription is configured. The attack is purely an availability impact; confidentiality and integrity are not affected.
No public proof-of-concept exploit is available for CVE-2024-39518, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. See the Juniper Security Advisory JSA82982 for vendor-confirmed technical details.
Detection Methods for CVE-2024-39518
Indicators of Compromise
- Monotonically increasing MEMORY and PEAK MEMORY values for the sensord process in show system info | match sensord
- Line card unresponsiveness or telemetry stream interruption on MX240, MX480, or MX960 chassis using MPC10E
- Recovery only after a manual line card reboot, with memory growth resuming once telemetry subscriptions reattach
Detection Strategies
- Poll show system processes extensive on a recurring interval and alert when sensord resident memory exceeds a healthy baseline
- Correlate JTI subscription events with line card memory trend data to identify the specific sensor path that triggers the leak
- Track line card reboot frequency on MPC10E hardware as a secondary signal of resource exhaustion
Monitoring Recommendations
- Forward Junos syslog and SNMP memory utilization counters to a centralized logging or SIEM platform for trend analysis
- Establish thresholds for sensord memory growth rate, not just absolute values, since the leak is gradual
- Audit configured telemetry subscriptions and restrict subscribers to known-good collectors
How to Mitigate CVE-2024-39518
Immediate Actions Required
- Identify any MX240, MX480, or MX960 chassis running an affected Junos OS release with MPC10E line cards and active JTI subscriptions
- Upgrade Junos OS to a fixed release as listed in Juniper Security Advisory JSA82982
- Where upgrade is not immediate, schedule controlled line card reboots before memory exhaustion to avoid unplanned outages
Patch Information
Juniper has released fixed Junos OS versions: 21.2R3-S7, 21.4R3-S6, 22.2R3-S4, 22.3R3-S2, 22.4R3, 23.2R2, and all subsequent releases. Operators should plan upgrades through standard Junos maintenance windows. Refer to the Juniper Security Advisory JSA82982 for the authoritative list of fixed builds.
Workarounds
- Disable the specific telemetry subscription that triggers the leak until the device is patched
- Restrict JTI access through firewall filters so that only trusted telemetry collectors can establish subscriptions
- Monitor sensord memory and proactively reboot the MPC10E line card during maintenance windows when growth is detected
# Operational commands to monitor sensord memory utilization on Junos
show system processes extensive
show system info | match sensord
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
