CVE-2026-21906 Overview
CVE-2026-21906 is a high-severity denial of service vulnerability in the packet forwarding engine (PFE) of Juniper Networks Junos OS on SRX Series firewalls. An unauthenticated, network-based attacker can send a specific Internet Control Message Protocol (ICMP) packet through a Generic Routing Encapsulation (GRE) tunnel to crash the PFE. The crash forces a restart and causes traffic loss on the affected device.
The issue is triggered when PowerMode IPsec (PMI) and GRE performance acceleration are both enabled. PMI is enabled by default on supported SRX platforms, increasing the exposure footprint. The vulnerability is classified under [CWE-755] (Improper Handling of Exceptional Conditions).
Critical Impact
A single crafted ICMP packet over an existing GRE tunnel triggers a PFE crash, producing repeated traffic outages on SRX firewalls protecting enterprise perimeters.
Affected Products
- Juniper Junos OS on SRX Series: all versions before 21.4R3-S12
- Juniper Junos OS on SRX Series: 22.4 before 22.4R3-S8, 23.2 before 23.2R2-S5, 23.4 before 23.4R2-S5
- Juniper Junos OS on SRX Series: 24.2 before 24.2R2-S3, 24.4 before 24.4R2-S1, 25.2 before 25.2R1-S1, and 25.2R2
Discovery Timeline
- 2026-01-15 - CVE-2026-21906 published to NVD
- 2026-01-23 - Last updated in NVD database
Technical Details for CVE-2026-21906
Vulnerability Analysis
The flaw resides in the SRX packet forwarding engine when processing ICMP traffic encapsulated in GRE tunnels under the PowerMode IPsec (PMI) data path. PMI uses Vector Packet Processing (VPP) to accelerate IPsec throughput. When GRE performance acceleration is layered on top of PMI, a specific ICMP packet structure is not handled correctly by the exception path in the PFE.
The result is a PFE crash and automatic restart. During the restart window, the SRX cannot forward traffic, producing a denial of service condition on the firewall data plane. Because SRX devices commonly sit at network perimeters or between security zones, the crash interrupts all transit flows until the PFE recovers.
Root Cause
The root cause is improper handling of an exceptional condition in the PMI/GRE acceleration code path. The PFE encounters an unexpected state when parsing the malformed ICMP packet inside the GRE tunnel and fails to gracefully reject it. Instead of dropping the offending packet, the engine aborts, which terminates packet forwarding for all flows on the affected forwarding plane.
Attack Vector
Exploitation requires only network reachability to a GRE tunnel endpoint on a vulnerable SRX device with PMI and GRE performance acceleration enabled. No authentication and no user interaction are required. The attacker crafts an ICMP packet matching the trigger condition and routes it through the GRE tunnel toward the SRX. Repeated transmission causes recurring PFE restarts, sustaining the outage.
No public proof-of-concept code is available for this vulnerability. Refer to the Juniper Security Advisory JSA106005 for vendor-confirmed technical details.
Detection Methods for CVE-2026-21906
Indicators of Compromise
- Repeated PFE crash and restart events logged by the SRX, often correlated with PFED or fpc daemon entries in messages logs
- Sudden, brief traffic loss across GRE tunnel interfaces without a corresponding routing change
- Core files generated on the Routing Engine that reference PMI or GRE acceleration modules
Detection Strategies
- Monitor Junos system logs for PFE restart messages and correlate them with inbound ICMP-over-GRE traffic timestamps
- Inspect SNMP traps and chassis alarms for forwarding plane failures on SRX nodes that have set security flow power-mode-ipsec and GRE acceleration configured
- Use packet captures at GRE tunnel endpoints to identify anomalous ICMP types, codes, or lengths preceding a crash
Monitoring Recommendations
- Forward Junos syslog and chassisd events to a central SIEM and alert on repeated PFE restarts within short time windows
- Track GRE tunnel uptime and ICMP volume per tunnel to surface anomalous spikes that precede crashes
- Enable NetFlow or sFlow on transit paths to retain flow records when the PFE restarts
How to Mitigate CVE-2026-21906
Immediate Actions Required
- Upgrade Junos OS on SRX Series to a fixed release: 21.4R3-S12, 22.4R3-S8, 23.2R2-S5, 23.4R2-S5, 24.2R2-S3, 24.4R2-S1, 25.2R1-S1, or later
- Inventory SRX devices to identify those with PMI enabled by default and GRE performance acceleration configured
- Restrict ICMP traffic that can reach GRE tunnel endpoints from untrusted networks using upstream filtering
Patch Information
Juniper Networks has released fixed software versions documented in Juniper Security Advisory JSA106005. Customers should consult the advisory and the Juniper Support portal for download links and platform-specific guidance.
Workarounds
- Disable GRE performance acceleration on affected SRX devices until patching is complete, which removes the prerequisite for exploitation
- Optionally disable PowerMode IPsec (PMI) where performance trade-offs are acceptable; review the Juniper PowerMode IPsec documentation before changing configuration
- Apply ingress access control lists to drop unexpected ICMP types and codes destined for GRE tunnel endpoints
# Example: disable GRE performance acceleration on SRX (workaround)
configure
delete security flow power-mode-ipsec gre-performance-acceleration
commit and-quit
# Verify the configuration no longer references GRE acceleration
show configuration security flow | display set
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
