Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-39540

CVE-2024-39540: Juniper Junos DoS Vulnerability

CVE-2024-39540 is a denial-of-service vulnerability in Juniper Junos OS affecting SRX and MX Series devices. Specific TCP traffic causes PFE crashes leading to complete service outages. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2024-39540 Overview

CVE-2024-39540 is a denial-of-service vulnerability in the Packet Forwarding Engine (pfe) of Juniper Networks Junos OS. The flaw affects SRX Series devices and MX Series devices equipped with the SPC3 service card. An unauthenticated, network-based attacker can trigger the issue by sending specific valid TCP traffic to an affected device. The pfe process crashes and restarts, producing a momentary but complete service outage. The vulnerability is categorized under CWE-754 — Improper Check for Unusual or Exceptional Conditions. Only Junos OS 21.2 releases from 21.2R3-S5 before 21.2R3-S6 are affected; earlier and later releases are not.

Critical Impact

Remote, unauthenticated attackers can crash the Packet Forwarding Engine on SRX and MX (SPC3) devices using crafted TCP traffic, causing full traffic interruption on the affected device.

Affected Products

  • Juniper Junos OS 21.2R3-S5 (releases prior to 21.2R3-S6) on SRX Series
  • Juniper Junos OS 21.2R3-S5 (releases prior to 21.2R3-S6) on MX Series with SPC3
  • Juniper SRX and MX hardware lines including SRX100–SRX5800, MX240/MX480/MX960, cSRX, and vSRX

Discovery Timeline

  • 2024-07-11 - CVE-2024-39540 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-39540

Vulnerability Analysis

The vulnerability resides in the Packet Forwarding Engine (pfe), the data-plane component responsible for high-speed packet processing on Juniper SRX and MX platforms. When the pfe parses certain valid TCP packets, it fails to handle an unusual or exceptional condition within the processing path. The resulting fault causes the pfe process to crash and restart automatically. During the restart window, the device cannot forward traffic, producing a complete service outage on the affected platform. Because the trigger is valid TCP traffic rather than malformed input, traditional anomaly-based packet filters may not block the attack. Repeated transmission of the triggering traffic can produce a sustained outage by forcing continuous pfe restarts.

Root Cause

The root cause is an improper check for unusual or exceptional conditions ([CWE-754]) inside the pfe packet-processing logic. The engine does not validate or safely handle a specific TCP processing state, leading to an unrecoverable fault when that state is reached.

Attack Vector

Exploitation requires only network reachability to a listening service on the affected device. The attacker does not need credentials, user interaction, or privileges. Sending the specific valid TCP traffic pattern toward the device is sufficient to crash the pfe. Per the Juniper Security Advisory JSA83000, no authenticated channel or special protocol negotiation is required.

No verified public exploit code is available for this issue. Refer to the Juniper advisory for technical specifics that Juniper has chosen to disclose.

Detection Methods for CVE-2024-39540

Indicators of Compromise

  • Unexpected pfe process crashes or restarts recorded in Junos system logs and core files
  • Brief but complete loss of data-plane forwarding correlated with inbound TCP flows
  • Repeated pfe restart events within short time windows on SRX or MX (SPC3) devices running Junos 21.2R3-S5

Detection Strategies

  • Monitor Junos syslog for pfe daemon termination, restart, and core dump messages using show log messages and show system core-dumps
  • Correlate pfe crash timestamps with inbound TCP traffic captures to identify potential triggering sources
  • Track interface and routing-protocol flap events that align with pfe restart windows

Monitoring Recommendations

  • Forward Junos device logs to a centralized SIEM or data lake and alert on pfe crash signatures
  • Establish a baseline for pfe uptime and alert on any unscheduled restart
  • Capture NetFlow or sFlow telemetry from edge devices to identify anomalous TCP source patterns preceding outages

How to Mitigate CVE-2024-39540

Immediate Actions Required

  • Identify SRX Series and MX Series (with SPC3) devices running Junos OS 21.2R3-S5 and prioritize them for upgrade
  • Upgrade affected devices to Junos OS 21.2R3-S6 or any later fixed release as documented in the Juniper advisory
  • Restrict inbound TCP exposure on management and untrusted interfaces using firewall filters and edge ACLs until patching completes

Patch Information

Juniper has released fixed software in Junos OS 21.2R3-S6 and later. Releases prior to 21.2R3-S5 and releases after 21.2R3-S6 are not affected. Customers should consult the Juniper Security Advisory JSA83000 for the authoritative list of fixed builds and upgrade procedures.

Workarounds

  • Apply firewall filters (lo0 and transit) to limit TCP exposure from untrusted sources to services hosted on the device
  • Use network segmentation and edge filtering to block direct TCP reachability to the control plane from the internet
  • Enable strict source address validation on perimeter devices to reduce spoofed traffic that could trigger the condition

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne