CVE-2025-21599 Overview
A Missing Release of Memory after Effective Lifetime vulnerability (CWE-401) exists in the Juniper Tunnel Driver (jtd) component of Juniper Networks Junos OS Evolved. This memory leak vulnerability allows an unauthenticated network-based attacker to cause a Denial of Service (DoS) condition on affected devices.
When specifically malformed IPv6 packets are received by a vulnerable device, the kernel fails to properly release allocated memory after processing. This leads to progressive memory exhaustion that ultimately results in a system crash. Continuous receipt of these malicious packets can maintain a sustained DoS condition, rendering the network device inoperable.
Critical Impact
Unauthenticated attackers can remotely crash Juniper network devices configured with IPv6 by sending specially crafted packets, causing sustained service disruption across enterprise network infrastructure.
Affected Products
- Juniper Junos OS Evolved 22.4-EVO (before 22.4R3-S5-EVO)
- Juniper Junos OS Evolved 23.2-EVO (before 23.2R2-S2-EVO)
- Juniper Junos OS Evolved 23.4-EVO (before 23.4R2-S2-EVO)
- Juniper Junos OS Evolved 24.2-EVO (before 24.2R1-S2-EVO, 24.2R2-EVO)
Discovery Timeline
- January 9, 2025 - CVE-2025-21599 published to NVD
- January 26, 2026 - Last updated in NVD database
Technical Details for CVE-2025-21599
Vulnerability Analysis
This vulnerability resides in the Juniper Tunnel Driver (jtd), a kernel-level component responsible for handling tunneled network traffic on Junos OS Evolved platforms. The flaw represents a classic memory leak scenario where allocated kernel memory is not properly freed after being used to process IPv6 packets.
The attack requires only network access to the target device—no authentication or user interaction is necessary. This makes it particularly dangerous in enterprise and service provider environments where Juniper devices are commonly deployed as core network infrastructure.
Notably, this vulnerability only affects systems with IPv6 configured. Devices running in IPv4-only mode are not susceptible to this attack. Additionally, Junos OS Evolved versions prior to 22.4R1-EVO are not affected.
Root Cause
The root cause is a Missing Release of Memory after Effective Lifetime (CWE-401) in the Juniper Tunnel Driver. When processing certain malformed IPv6 packets destined to the device itself, the jtd component allocates kernel memory buffers but fails to release them after packet processing is complete. This implementation flaw causes memory to accumulate with each malicious packet received, eventually leading to kernel memory exhaustion.
Attack Vector
The attack can be executed remotely over the network without requiring any authentication credentials. An attacker needs to:
- Identify a target Juniper device running a vulnerable version of Junos OS Evolved with IPv6 enabled
- Craft specifically malformed IPv6 packets designed to trigger the memory leak condition
- Send these packets directly to the target device (packets must be destined to the device, not just transiting through it)
- Continue sending malformed packets to maintain sustained memory exhaustion and DoS
The attack can be executed from anywhere with network connectivity to the management or data interfaces of the vulnerable device. Since no response from the target is required for the attack to succeed, the attacker can operate with minimal exposure.
Detection Methods for CVE-2025-21599
Indicators of Compromise
- Unexpected increase in kernel memory utilization on Junos OS Evolved devices
- System log entries indicating memory allocation failures or out-of-memory conditions
- Device instability or spontaneous reboots without apparent cause
- Elevated levels of malformed IPv6 traffic destined to device management interfaces
Detection Strategies
- Monitor kernel memory usage trends on Junos OS Evolved devices using show system memory commands
- Implement network intrusion detection rules to identify malformed IPv6 packet patterns targeting Juniper infrastructure
- Configure SNMP traps or syslog alerts for memory threshold violations on affected devices
- Deploy traffic analysis at network boundaries to detect anomalous IPv6 traffic destined to network infrastructure
Monitoring Recommendations
- Establish baseline memory utilization patterns for Junos OS Evolved devices and alert on significant deviations
- Enable comprehensive logging for the Juniper Tunnel Driver component to capture packet processing anomalies
- Implement centralized log aggregation to correlate memory exhaustion events across multiple devices
- Schedule regular memory utilization audits on critical network infrastructure running affected versions
How to Mitigate CVE-2025-21599
Immediate Actions Required
- Verify if IPv6 is enabled on affected Junos OS Evolved devices and assess criticality
- Review device firmware versions against the affected version list and prioritize patch deployment
- Consider temporarily disabling IPv6 on non-critical devices if patching cannot be performed immediately
- Implement network access controls to restrict which sources can send traffic directly to device management interfaces
Patch Information
Juniper Networks has released patched versions of Junos OS Evolved that address this vulnerability. Organizations should upgrade to the following fixed versions based on their current deployment:
- 22.4-EVO track: Upgrade to 22.4R3-S5-EVO or later
- 23.2-EVO track: Upgrade to 23.2R2-S2-EVO or later
- 23.4-EVO track: Upgrade to 23.4R2-S2-EVO or later
- 24.2-EVO track: Upgrade to 24.2R1-S2-EVO or 24.2R2-EVO or later
For complete patch details and download links, refer to the Juniper Security Advisory JSA92869.
Workarounds
- Disable IPv6 on affected devices where it is not operationally required until patches can be applied
- Implement strict access control lists (ACLs) to filter IPv6 traffic from untrusted sources reaching device control plane
- Deploy network-level filtering at perimeter devices to block malformed IPv6 packets before they reach vulnerable infrastructure
- Isolate management interfaces on a separate network segment with restricted access
# Example: Check current IPv6 configuration on Junos OS Evolved
show configuration protocols | display set | match inet6
# Example: Monitor kernel memory utilization
show system memory
# Example: Review system logs for memory-related events
show log messages | match "memory|kernel|jtd"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
