CVE-2026-21909 Overview
A Missing Release of Memory after Effective Lifetime vulnerability (CWE-401) has been identified in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved. This memory leak vulnerability allows an unauthenticated attacker who controls an adjacent IS-IS neighbor to send specifically crafted update packets that cause memory to accumulate without being properly released.
The continued receipt and processing of these malicious packets will progressively exhaust all available memory on the affected device, ultimately crashing the routing protocol daemon (rpd) and creating a Denial of Service (DoS) condition that can severely impact network operations.
Critical Impact
An unauthenticated adjacent attacker can cause a complete denial of service by exhausting system memory through IS-IS protocol manipulation, crashing the routing daemon and disrupting network connectivity.
Affected Products
- Junos OS from 23.2 before 23.2R2
- Junos OS from 23.4 before 23.4R1-S2 or 23.4R2
- Junos OS from 24.1 before 24.1R2
- Junos OS Evolved from 23.2 before 23.2R2-EVO
- Junos OS Evolved from 23.4 before 23.4R1-S2-EVO or 23.4R2-EVO
- Junos OS Evolved from 24.1 before 24.1R2-EVO
Discovery Timeline
- January 15, 2026 - CVE-2026-21909 published to NVD
- January 16, 2026 - Last updated in NVD database
Technical Details for CVE-2026-21909
Vulnerability Analysis
This vulnerability represents a classic memory leak condition within the routing protocol daemon's handling of IS-IS (Intermediate System to Intermediate System) protocol traffic. When the rpd processes certain IS-IS update packets from an adjacent neighbor, it allocates memory for the TED-INFRA-COOKIE data structure but fails to properly release this memory after it is no longer needed.
The vulnerability is exploitable from an adjacent network position, meaning the attacker must be able to establish or spoof an IS-IS neighbor relationship with the target device. This is consistent with the attack vector being classified as Adjacent Network, requiring the attacker to have access to the same network segment or broadcast domain as the vulnerable Juniper device.
The impact is focused entirely on availability rather than confidentiality or integrity. As memory continues to be consumed without release, the system will eventually reach a critical state where the routing daemon can no longer function, leading to a crash. In production network environments, this could cause routing table loss and significant network disruption.
Importantly, versions of Junos OS before 23.2R1 and Junos OS Evolved before 23.2R1-EVO are not affected by this vulnerability.
Root Cause
The root cause is a Missing Release of Memory after Effective Lifetime (CWE-401) in the routing protocol daemon's IS-IS packet processing logic. When the daemon receives and processes specific IS-IS update packets, memory is allocated for internal data structures (specifically TED-INFRA-COOKIE objects) but the corresponding deallocation routines are not properly invoked, causing a persistent memory leak with each processed packet.
Attack Vector
The attack requires the adversary to control or spoof an adjacent IS-IS neighbor relationship with the target Juniper device. Once in position, the attacker sends specially crafted IS-IS update packets that trigger the memory allocation without corresponding deallocation. By continuously sending these packets, the attacker can systematically exhaust all available memory on the target device.
The attack does not require any authentication or user interaction, making it exploitable by any entity with adjacent network access and the ability to participate in IS-IS routing exchanges. Memory exhaustion will eventually cause the rpd process to crash, creating a denial of service condition that persists until the device is recovered.
Memory usage can be monitored using the show task memory detail command, filtering for TED-INFRA-COOKIE entries. Increasing values in this output indicate potential exploitation or memory leak conditions.
Detection Methods for CVE-2026-21909
Indicators of Compromise
- Progressively increasing memory consumption in TED-INFRA-COOKIE allocations visible via show task memory detail | match ted-infra
- Unexpected rpd daemon crashes or restarts
- IS-IS adjacency flaps or unusual neighbor behavior
- System log entries indicating memory exhaustion or out-of-memory conditions
Detection Strategies
- Implement baseline monitoring of rpd memory utilization and alert on abnormal growth patterns
- Monitor IS-IS adjacency logs for unexpected neighbors or unusual update packet frequencies
- Configure SNMP traps or syslog alerts for rpd process failures or restarts
- Deploy network security monitoring to detect anomalous IS-IS traffic patterns from adjacent devices
Monitoring Recommendations
- Regularly run show task memory detail | match ted-infra and track TED-INFRA-COOKIE memory allocation trends over time
- Set up automated alerting when rpd memory usage exceeds established thresholds
- Monitor system health dashboards for memory utilization spikes correlating with IS-IS activity
- Review IS-IS neighbor tables periodically to verify only expected adjacencies are present
How to Mitigate CVE-2026-21909
Immediate Actions Required
- Identify all Juniper devices running affected versions of Junos OS (23.2 through 24.1) and Junos OS Evolved (23.2-EVO through 24.1-EVO)
- Prioritize patching devices in production environments with IS-IS enabled
- Monitor memory utilization on vulnerable devices using show task memory detail until patches can be applied
- Consider restricting physical and logical access to network segments where IS-IS adjacencies are established
Patch Information
Juniper Networks has released security patches to address this vulnerability. Upgrade to the following fixed versions:
Junos OS:
- 23.2R2 or later
- 23.4R1-S2, 23.4R2 or later
- 24.1R2 or later
Junos OS Evolved:
- 23.2R2-EVO or later
- 23.4R1-S2-EVO, 23.4R2-EVO or later
- 24.1R2-EVO or later
For detailed patch information and download links, refer to the Juniper Security Advisory JSA106008.
Workarounds
- If immediate patching is not possible, implement strict IS-IS authentication to prevent unauthorized neighbors from establishing adjacencies
- Consider temporarily disabling IS-IS on non-critical interfaces until patches can be applied
- Implement network segmentation to limit which devices can establish IS-IS adjacencies with vulnerable systems
- Schedule regular rpd daemon restarts during maintenance windows to clear accumulated memory (temporary measure only)
# Enable IS-IS authentication to restrict neighbor establishment
set protocols isis level 1 authentication-key "your-secure-key"
set protocols isis level 1 authentication-type md5
set protocols isis level 2 authentication-key "your-secure-key"
set protocols isis level 2 authentication-type md5
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
