CVE-2026-21910: Juniper Junos OS DoS Vulnerability

CVE-2026-21910 Overview

An Improper Check for Unusual or Exceptional Conditions vulnerability (CWE-754) exists in the packet forwarding engine (PFE) of Juniper Networks Junos OS on EX4k Series and QFX5k Series platforms. This vulnerability allows an unauthenticated network-adjacent attacker to cause traffic between VXLAN Network Identifiers (VNIs) to drop by flapping an interface, leading to a Denial of Service (DoS) condition.

On all EX4k and QFX5k platforms, a link flap in an EVPN-VXLAN configuration Link Aggregation Group (LAG) results in Inter-VNI traffic dropping when there are multiple load-balanced next-hop routes for the same destination. Service can only be restored by restarting the affected FPC via the request chassis fpc restart slot <slot-number> command.

Critical Impact

Network-adjacent attackers can trigger complete Inter-VNI traffic loss in EVPN-VXLAN environments, requiring manual FPC restart to recover service.

Affected Products

• Juniper Networks Junos OS on EX4k Series (EX4100, EX4300, EX4400, EX4650)
• Juniper Networks Junos OS on QFX5k Series (QFX5110, QFX5120, QFX5200)
• Systems supporting EVPN-VXLAN Virtual Port-Link Aggregation Groups (VPLAG)

Discovery Timeline

• 2026-01-15 - CVE CVE-2026-21910 published to NVD
• 2026-01-16 - Last updated in NVD database

Technical Details for CVE-2026-21910

Vulnerability Analysis

This vulnerability stems from improper handling of exceptional conditions within the packet forwarding engine when processing interface state changes in EVPN-VXLAN environments with LAG configurations. The PFE fails to properly handle link flap events when multiple load-balanced next-hop routes exist for the same destination, resulting in the forwarding tables becoming corrupted or inconsistent.

The vulnerability specifically affects systems configured with EVPN-VXLAN Virtual Port-Link Aggregation Groups (VPLAG), which are used in data center environments to provide multi-homing and redundancy for virtualized workloads. When an interface flap occurs, the PFE does not correctly update the forwarding state, causing traffic destined for different VNIs to be dropped.

Root Cause

The root cause is classified as CWE-754: Improper Check for Unusual or Exceptional Conditions. The packet forwarding engine lacks proper validation and state management logic when handling rapid interface state transitions in complex EVPN-VXLAN topologies with multiple ECMP next-hops. This creates a race condition where the forwarding tables can enter an inconsistent state that persists until the FPC is manually restarted.

Attack Vector

The attack requires network-adjacent access, meaning the attacker must be on the same network segment as the vulnerable device. The attacker can exploit this vulnerability by deliberately causing interface flapping on a LAG member port within an EVPN-VXLAN environment. This could be achieved through:

• Physical manipulation of network cables on accessible ports
• Sending malformed frames that cause the interface to reset
• Exploiting other vulnerabilities to control connected devices and generate link instability

The attack does not require authentication or user interaction, making it relatively straightforward to execute for an attacker with the necessary network position. Once triggered, the Inter-VNI traffic loss persists until administrative intervention occurs.

Detection Methods for CVE-2026-21910

Indicators of Compromise

• Unexpected Inter-VNI traffic drops in EVPN-VXLAN environments
• Repeated interface flap events logged on LAG member ports
• FPC errors or warnings in system logs related to forwarding table inconsistencies
• Customer reports of connectivity issues between VNIs following interface state changes

Detection Strategies

• Monitor for excessive interface flap events on LAG member ports using show interfaces extensive
• Implement SNMP traps for link state changes on EVPN-VXLAN interfaces
• Configure syslog monitoring for PFE-related error messages and forwarding exceptions
• Review system logs with show log messages | match "fpc|pfe|vxlan" for anomalies

Monitoring Recommendations

• Enable enhanced logging for PFE events and interface state transitions
• Implement network monitoring tools to detect unusual traffic patterns between VNIs
• Set up alerts for unexpected FPC restart requirements
• Monitor LAG member port stability metrics and establish baselines for normal behavior

How to Mitigate CVE-2026-21910

Immediate Actions Required

• Review and identify all EX4k and QFX5k devices running vulnerable Junos OS versions
• Assess EVPN-VXLAN configurations with VPLAG deployments for exposure risk
• Plan maintenance windows for patching affected systems
• If exploitation is suspected, restart the affected FPC using request chassis fpc restart slot <slot-number>

Patch Information

Juniper Networks has released security patches addressing this vulnerability. Affected versions and their fixed releases include:

For detailed patch information, refer to the Juniper Security Advisory JSA106009.

Workarounds

• Limit physical access to network equipment to prevent deliberate interface manipulation
• Implement port security features to detect and prevent unauthorized cable disconnections
• Consider segmenting network-adjacent access to critical EVPN-VXLAN infrastructure
• Ensure redundant network paths can handle failover if an FPC requires restart

# Verify current Junos OS version
show version

# Check EVPN-VXLAN configuration status
show evpn instance extensive

# Monitor interface status for flapping
show interfaces extensive | match "flap|Physical link"

# Restart affected FPC if service degradation is observed
request chassis fpc restart slot <slot-number>