CVE-2025-30658 Overview
A Missing Release of Memory after Effective Lifetime vulnerability (CWE-401) has been identified in the Anti-Virus processing component of Juniper Networks Junos OS running on SRX Series firewalls. This memory leak vulnerability allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS) condition by exhausting Juniper Buffers (jbufs) through specially crafted HTTP response content.
When Anti-Virus processing is enabled on SRX platforms, a malicious server can send specific content in the HTTP body of a response to a client request. These packets are queued by the Anti-Virus processing subsystem and stored in jbufs that are never released. Once these jbufs are exhausted, the affected device stops forwarding all transit traffic, effectively causing a complete network outage.
Critical Impact
Unauthenticated attackers can remotely exhaust memory buffers on Juniper SRX firewalls, causing complete network traffic forwarding failure requiring manual device reboot for recovery.
Affected Products
- Juniper Junos OS (all versions before 21.2R3-S9)
- Juniper Junos OS 21.4 (versions before 21.4R3-S10)
- Juniper Junos OS 22.2 (versions before 22.2R3-S6)
- Juniper Junos OS 22.4 (versions before 22.4R3-S6)
- Juniper Junos OS 23.2 (versions before 23.2R2-S3)
- Juniper Junos OS 23.4 (versions before 23.4R2-S3)
- Juniper Junos OS 24.2 (versions before 24.2R2)
- Juniper SRX Series (SRX300, SRX320, SRX340, SRX345, SRX380, SRX1500, SRX1600, SRX2300, SRX4100, SRX4120, SRX4200, SRX4300, SRX4600, SRX4700, SRX5400, SRX5600, SRX5800)
Discovery Timeline
- April 9, 2025 - CVE-2025-30658 published to NVD
- January 23, 2026 - Last updated in NVD database
Technical Details for CVE-2025-30658
Vulnerability Analysis
This vulnerability represents a classic memory leak condition in the Anti-Virus content inspection pipeline. The flaw occurs within the jbuf (Juniper Buffer) memory management subsystem that handles packet queuing during Anti-Virus scanning operations. When the Anti-Virus engine processes HTTP response traffic containing specific malformed or crafted content, the allocated jbufs are never properly released back to the memory pool after processing completes.
The vulnerability is particularly dangerous because it can be triggered remotely without authentication. An attacker only needs to control or compromise an external server that can send malicious HTTP responses to clients behind the affected SRX firewall. The attack does not require any user interaction or special privileges, making it highly exploitable in real-world scenarios.
Root Cause
The root cause is a Missing Release of Memory after Effective Lifetime condition (CWE-401) in the Anti-Virus processing code path. When specific HTTP body content passes through the Anti-Virus inspection engine, the memory allocation routine properly allocates jbufs to hold the packet data for scanning, but the corresponding deallocation routine fails to execute under certain conditions. This creates a persistent memory leak that accumulates over time.
The vulnerability manifests specifically when:
- Anti-Virus feature is enabled on the SRX device
- HTTP traffic passes through the device for content inspection
- A server sends crafted content in the HTTP response body
- The jbuf allocation is not matched with a corresponding free operation
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Setting up a malicious web server or compromising an existing server
- Crafting HTTP responses with specific content that triggers the memory leak
- Enticing or waiting for clients behind the target SRX firewall to request content from the malicious server
- The malicious HTTP response passes through the SRX Anti-Virus inspection
- Each crafted response causes jbufs to be allocated but never freed
- Repeated requests progressively exhaust the jbuf pool
- Once jbufs are exhausted, the device stops forwarding all transit traffic
The vulnerability can be detected in device logs with messages similar to:
(<node>.)<fpc> Warning: jbuf pool id <#> utilization level (<current level>%) is above <threshold>%!
Recovery from exploitation requires a manual device reboot to free the leaked jbufs.
Detection Methods for CVE-2025-30658
Indicators of Compromise
- System log messages indicating jbuf pool utilization above threshold levels
- Warning messages in format: (<node>.)<fpc> Warning: jbuf pool id <#> utilization level (<current level>%) is above <threshold>%!
- Progressive memory utilization increase in Anti-Virus processing subsystem
- Unexpected transit traffic forwarding failures on SRX devices
- Increased frequency of required device reboots to restore network functionality
Detection Strategies
- Implement SNMP monitoring for jbuf pool utilization metrics on all SRX devices with Anti-Virus enabled
- Configure syslog alerting for jbuf utilization warning messages to security operations centers
- Deploy network traffic analysis to identify anomalous HTTP response patterns from external servers
- Monitor for sudden drops in traffic throughput that may indicate buffer exhaustion conditions
- Establish baseline memory utilization metrics to detect abnormal memory consumption trends
Monitoring Recommendations
- Set up automated alerts for jbuf utilization warnings at 70%, 80%, and 90% thresholds for early detection
- Implement regular polling of memory subsystem statistics via Junos CLI or SNMP
- Create dashboards to visualize jbuf pool utilization trends across the SRX fleet
- Configure log aggregation to centralize and correlate jbuf-related warnings from multiple devices
- Schedule periodic memory health checks as part of routine network monitoring procedures
How to Mitigate CVE-2025-30658
Immediate Actions Required
- Review Anti-Virus configuration on all SRX Series devices to assess exposure
- Implement monitoring for jbuf utilization warnings to detect potential exploitation attempts
- Prepare emergency maintenance windows for device reboots if memory exhaustion is detected
- Evaluate business-critical traffic flows that traverse affected SRX devices
- Plan and schedule patching activities based on version-specific remediation requirements
Patch Information
Juniper Networks has released patched versions of Junos OS to address this vulnerability. Organizations should upgrade to the following fixed versions based on their current deployment:
- Junos OS 21.2: Upgrade to 21.2R3-S9 or later
- Junos OS 21.4: Upgrade to 21.4R3-S10 or later
- Junos OS 22.2: Upgrade to 22.2R3-S6 or later
- Junos OS 22.4: Upgrade to 22.4R3-S6 or later
- Junos OS 23.2: Upgrade to 23.2R2-S3 or later
- Junos OS 23.4: Upgrade to 23.4R2-S3 or later
- Junos OS 24.2: Upgrade to 24.2R2 or later
Refer to the Juniper Security Advisory JSA96469 for complete patch details and download links.
Workarounds
- Temporarily disable the Anti-Virus feature on affected SRX devices if the security risk is acceptable for your environment
- Implement upstream traffic filtering to block known malicious sources targeting the vulnerability
- Deploy redundant SRX devices to maintain network availability during potential exploitation or required reboots
- Configure more aggressive jbuf pool warning thresholds to enable earlier detection and response
- Establish documented procedures for rapid device reboot if jbuf exhaustion is detected
# Check current Junos OS version
show version
# Monitor jbuf pool utilization
show system buffer-pool
# Review Anti-Virus configuration status
show security utm anti-virus status
# Configure syslog for jbuf warnings
set system syslog file messages any any
set system syslog file messages match "jbuf pool"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
