CVE-2026-21911: Junos OS Evolved L2CPD DoS Vulnerability

CVE-2026-21911 Overview

An Incorrect Calculation vulnerability has been identified in the Layer 2 Control Protocol Daemon (l2cpd) of Juniper Networks Junos OS Evolved. This flaw allows an unauthenticated network-adjacent attacker to exploit management interface flapping behavior, causing the learning of new MAC addresses over label-switched interfaces (LSI) to stop while simultaneously generating a flood of log messages, resulting in high CPU usage and service degradation.

Critical Impact

Network-adjacent attackers can disrupt MAC learning operations and cause denial of service through CPU exhaustion without requiring authentication.

Affected Products

• Junos OS Evolved all versions before 21.4R3-S7-EVO
• Junos OS Evolved from 22.2 before 22.2R3-S4-EVO
• Junos OS Evolved from 22.3 before 22.3R3-S3-EVO
• Junos OS Evolved from 22.4 before 22.4R3-S2-EVO
• Junos OS Evolved from 23.2 before 23.2R2-S1-EVO
• Junos OS Evolved from 23.4 before 23.4R1-S2-EVO, 23.4R2-EVO

Discovery Timeline

• January 15, 2026 - CVE-2026-21911 published to NVD
• January 16, 2026 - Last updated in NVD database

Technical Details for CVE-2026-21911

Vulnerability Analysis

The vulnerability resides in the Layer 2 Control Protocol Daemon (l2cpd), a critical component responsible for handling Layer 2 protocol operations including MAC address learning and management in Junos OS Evolved environments. The flaw is classified as CWE-682 (Incorrect Calculation), indicating that mathematical or logical computations within the daemon produce unexpected results under certain conditions.

When an attacker flaps the management interface (rapidly bringing it up and down), the l2cpd experiences a calculation error that disrupts the normal MAC address learning process over label-switched interfaces. This miscalculation triggers an epoch mismatch condition (IFBD_VALIDATE_FAIL_EPOCH_MISMATCH), causing the hardware force delete operation to fail repeatedly. Each failure generates extensive logging, creating a feedback loop that consumes significant CPU resources.

The attack does not require any authentication, making it particularly dangerous in environments where network-adjacent access is possible. The adjacent network attack vector means the attacker must have Layer 2 adjacency to the target device but does not need credentials or prior access to the system.

Root Cause

The root cause stems from an incorrect calculation within the l2cpd when processing interface state changes during management interface flapping events. The daemon fails to properly synchronize epoch values during interface boundary validation (GETIFBD_VALIDATE_FAILED), resulting in persistent validation failures. This causes the INTRNL_OP_HW_FORCE_DELETE operation to fail with error code 26, leading to a cascade of log messages and preventing legitimate MAC learning operations.

Attack Vector

The attack exploits the adjacent network vector, requiring the attacker to have Layer 2 connectivity to the target Juniper device. By intentionally flapping the management interface, the attacker triggers the incorrect calculation condition within l2cpd. This is a relatively low-complexity attack that requires no user interaction or special privileges.

The attack results in:

• Cessation of new MAC address learning over LSI interfaces
• Generation of excessive log messages flooding the system
• High CPU utilization degrading device performance
• Potential impact to downstream network operations relying on MAC learning

When the vulnerability is triggered, administrators will observe characteristic log entries containing validation failure messages with epoch mismatch indicators.

Detection Methods for CVE-2026-21911

Indicators of Compromise

• Log messages containing GETIFBD_VALIDATE_FAILED and IFBD_VALIDATE_FAIL_EPOCH_MISMATCH errors
• Presence of INTRNL_OP_HW_FORCE_DELETE operations with status code 10 and error code 26
• Unusual log flooding patterns with MAC address-related entries showing reason:0(REASON_NONE)
• Sudden cessation of MAC address learning on label-switched interfaces

Detection Strategies

• Monitor l2cpd logs for repeated occurrences of epoch mismatch validation failures
• Implement alerting on abnormal CPU utilization spikes on Juniper Junos OS Evolved devices
• Track management interface state changes for unusual flapping patterns that could indicate exploitation attempts
• Configure log analysis rules to detect the specific error signature pattern described in the vulnerability advisory

Monitoring Recommendations

• Enable enhanced logging for l2cpd daemon operations to capture detailed error conditions
• Implement SNMP traps or syslog forwarding to centralized security monitoring systems for real-time detection
• Monitor interface state change rates on management interfaces to detect potential exploitation attempts
• Establish baseline CPU utilization metrics to identify anomalous resource consumption patterns

How to Mitigate CVE-2026-21911

Immediate Actions Required

• Upgrade affected Junos OS Evolved systems to the patched versions specified in the vendor advisory
• Implement network access controls to limit Layer 2 adjacency to trusted systems only
• Review and restrict management interface access to authorized network segments
• Enable rate limiting on log generation to reduce CPU impact if exploitation occurs before patching

Patch Information

Juniper Networks has released security patches addressing this vulnerability. Administrators should upgrade to the following fixed versions based on their current installation:

• For versions before 21.4: Upgrade to 21.4R3-S7-EVO or later
• For 22.2 series: Upgrade to 22.2R3-S4-EVO or later
• For 22.3 series: Upgrade to 22.3R3-S3-EVO or later
• For 22.4 series: Upgrade to 22.4R3-S2-EVO or later
• For 23.2 series: Upgrade to 23.2R2-S1-EVO or later
• For 23.4 series: Upgrade to 23.4R1-S2-EVO or 23.4R2-EVO or later

For detailed patch information, refer to the Juniper Security Advisory JSA106010.

Workarounds

• Implement strict Layer 2 access controls to prevent unauthorized network-adjacent access to affected devices
• Configure management interface on isolated VLAN segments with restricted access policies
• Deploy interface dampening configurations to reduce the impact of rapid interface state changes
• Consider implementing out-of-band management networks to isolate management traffic from potential attackers

The recommended mitigation approach involves applying the vendor-supplied patches. Consult the Juniper Knowledge Base article JSA106010 for specific configuration guidance and additional workaround options.