CVE-2025-52946 Overview
CVE-2025-52946 is a Use After Free vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved. This vulnerability allows a remote attacker to send a BGP update containing a specifically malformed AS PATH attribute, causing the rpd process to crash and resulting in a Denial of Service (DoS) condition. Continuous receipt of malformed AS PATH attributes will sustain the denial of service, potentially disrupting critical network routing operations.
The vulnerability specifically affects systems where BGP traceoptions are enabled and requires an established BGP session. Systems without BGP traceoptions enabled are not impacted by this issue. This vulnerability represents a more complete fix for the previously published CVE-2024-39549 (JSA83011).
Critical Impact
Remote attackers can crash the routing protocol daemon via malformed BGP updates, causing sustained network outages in enterprise and service provider environments with BGP traceoptions enabled.
Affected Products
- Juniper Networks Junos OS (all versions before 21.2R3-S9, all versions of 21.4, from 22.2 before 22.2R3-S6, from 22.4 before 22.4R3-S5, from 23.2 before 23.2R2-S3, from 23.4 before 23.4R2-S4, from 24.2 before 24.2R2)
- Juniper Networks Junos OS Evolved (all versions before 22.4R3-S5-EVO, from 23.2-EVO before 23.2R2-S3-EVO, from 23.4-EVO before 23.4R2-S4-EVO, from 24.2-EVO before 24.2R2-EVO)
Discovery Timeline
- July 11, 2025 - CVE-2025-52946 published to NVD
- January 23, 2026 - Last updated in NVD database
Technical Details for CVE-2025-52946
Vulnerability Analysis
This Use After Free (CWE-416) vulnerability occurs in the routing protocol daemon (rpd), which is responsible for managing BGP routing operations on Juniper Networks devices. The flaw is triggered when the rpd process handles a BGP update containing a specifically malformed AS PATH attribute while traceoptions are enabled.
When a BGP peer sends a crafted update with the malformed AS PATH, the rpd process attempts to process the data but encounters a memory handling error. The daemon references memory that has already been freed, leading to undefined behavior and ultimately causing the process to crash. Upon crash, the rpd process will restart, but continuous receipt of the malicious BGP updates will cause repeated crashes, resulting in a sustained DoS condition.
The attack can be executed over the network without requiring authentication, though it does require an established BGP peering session with the target device. This makes the vulnerability particularly concerning for organizations with external BGP peering relationships.
Root Cause
The root cause is a Use After Free memory corruption vulnerability in the BGP AS PATH parsing logic within the rpd process. When processing certain malformed AS PATH attributes with traceoptions enabled, the daemon incorrectly accesses memory that has been deallocated. This memory management flaw allows attackers to trigger a crash by sending specially crafted BGP updates through an established BGP session.
Attack Vector
The attack is network-based and can be executed by any BGP peer with an established session to the vulnerable device. The attacker constructs a BGP UPDATE message containing a malformed AS PATH attribute and transmits it to the target router. When the target has BGP traceoptions enabled, the malformed attribute triggers the Use After Free condition during processing, causing the rpd daemon to crash.
The attack requires:
- An established BGP session with the target device
- BGP traceoptions to be enabled on the target
- The ability to send BGP UPDATE messages with crafted AS PATH attributes
The vulnerability is particularly dangerous in service provider environments where BGP peering with external autonomous systems is common and traceoptions may be enabled for troubleshooting purposes.
Detection Methods for CVE-2025-52946
Indicators of Compromise
- Repeated rpd process crashes and restarts observed in system logs
- BGP session instability or flapping with specific peers
- Presence of malformed AS PATH attributes in BGP traceoption logs
- Unexpected BGP UPDATE messages with unusually structured AS PATH data
- Elevated memory-related error messages in system diagnostics
Detection Strategies
- Monitor system logs for rpd crash events using show system core-dumps and show log messages | match rpd
- Implement BGP session monitoring to detect unusual patterns of session drops or resets
- Deploy network intrusion detection systems (IDS) with signatures for malformed BGP AS PATH attributes
- Configure SNMP traps for routing daemon health monitoring
- Review BGP traceoption output for anomalous AS PATH structures in received updates
Monitoring Recommendations
- Enable centralized logging for all Juniper devices to correlate rpd crash events across the network
- Implement real-time alerting for routing protocol daemon crashes or restarts
- Monitor BGP session states and peer health metrics through network management systems
- Review BGP UPDATE traffic patterns from external peers for anomalies
- Maintain baseline metrics for rpd process behavior to detect deviations
How to Mitigate CVE-2025-52946
Immediate Actions Required
- Upgrade affected Juniper Junos OS and Junos OS Evolved systems to patched versions immediately
- If patching is not immediately possible, consider disabling BGP traceoptions as a temporary mitigation
- Review BGP peering configurations and assess risk from external peers
- Implement strict BGP filtering policies to limit exposure from untrusted peers
- Enable monitoring for rpd crashes to detect potential exploitation attempts
Patch Information
Juniper Networks has released security patches addressing this vulnerability. Organizations should upgrade to the following fixed versions:
Junos OS:
- Version 21.2R3-S9 or later (for pre-21.2 releases)
- Version 22.2R3-S6 or later
- Version 22.4R3-S5 or later
- Version 23.2R2-S3 or later
- Version 23.4R2-S4 or later
- Version 24.2R2 or later
Junos OS Evolved:
- Version 22.4R3-S5-EVO or later
- Version 23.2R2-S3-EVO or later
- Version 23.4R2-S4-EVO or later
- Version 24.2R2-EVO or later
Note: All versions of Junos OS 21.4 are affected with no direct upgrade path mentioned. Consult the Juniper Support Advisory for migration guidance.
Workarounds
- Disable BGP traceoptions on affected devices if not required for operational purposes, as the vulnerability only impacts systems with traceoptions enabled
- Implement BGP route filtering with prefix lists and AS-path access lists to restrict accepted routes from external peers
- Consider implementing BGP GTSM (Generalized TTL Security Mechanism) to limit BGP session establishment to directly connected peers
- Deploy out-of-band management access to maintain device control during potential DoS conditions
- Establish BGP session limits and rate limiting where supported to reduce impact of malicious updates
# Disable BGP traceoptions as temporary mitigation
delete protocols bgp traceoptions
commit
# Verify traceoptions are disabled
show configuration protocols bgp | match traceoptions
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
