The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-21912

CVE-2026-21912: Junos OS TOCTOU Race Condition Flaw

CVE-2026-21912 is a Time-of-check Time-of-use race condition in Juniper Junos OS on MX10k Series that allows local attackers to crash line cards via CLI commands. This article covers technical details, affected versions, impact, and mitigation.

Published: January 23, 2026

CVE-2026-21912 Overview

A Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability exists in the method used to collect FPC Ethernet firmware statistics in Juniper Networks Junos OS on the MX10k Series. This vulnerability allows a local, low-privileged attacker to cause an LC480 or LC2101 line card to reset by repeatedly executing the show system firmware CLI command.

On affected MX10k Series systems with LC480 or LC2101 line cards, repeated execution of the show system firmware CLI command can cause the line card to crash and restart. Additionally, some time after the line card crashes, the chassisd daemon may also crash and restart, generating a core dump. This creates a denial of service condition that can significantly impact network availability.

Critical Impact

Local attackers with low-level CLI access can trigger line card resets and chassis daemon crashes, causing network service disruption on critical MX10k Series infrastructure.

Affected Products

  • Juniper Networks Junos OS on MX10k Series - all versions before 21.2R3-S10
  • Juniper Networks Junos OS on MX10k Series - from 21.4 before 21.4R3-S9
  • Juniper Networks Junos OS on MX10k Series - from 22.2 before 22.2R3-S7
  • Juniper Networks Junos OS on MX10k Series - from 22.4 before 22.4R3-S6
  • Juniper Networks Junos OS on MX10k Series - from 23.2 before 23.2R2-S2
  • Juniper Networks Junos OS on MX10k Series - from 23.4 before 23.4R2-S3
  • Juniper Networks Junos OS on MX10k Series - from 24.2 before 24.2R2

Discovery Timeline

  • 2026-01-15 - CVE-2026-21912 published to NVD
  • 2026-01-16 - Last updated in NVD database

Technical Details for CVE-2026-21912

Vulnerability Analysis

This vulnerability (CWE-367) is classified as a Time-of-check Time-of-use (TOCTOU) race condition affecting the firmware statistics collection mechanism within Junos OS. The vulnerability exists in the code path executed when a user invokes the show system firmware CLI command on MX10k Series routers equipped with LC480 or LC2101 line cards.

The flaw resides in how the system validates and subsequently accesses resources during the FPC Ethernet firmware statistics collection process. A time gap exists between when the system checks a resource's state and when it actually uses that resource, creating an exploitable window. A local attacker with low-level privileges can exploit this race condition by repeatedly executing the vulnerable CLI command, causing the firmware statistics collection routine to access inconsistent data states.

Root Cause

The root cause is a classic TOCTOU race condition in the FPC Ethernet firmware statistics collection code. When the show system firmware command is executed, the system performs a check on certain firmware data structures, but before it can safely use those checked values, the state can change due to concurrent operations. This temporal gap allows the race condition to manifest, particularly under repeated command execution scenarios.

The race condition specifically affects the LC480 and LC2101 line cards, suggesting these models have unique firmware statistics collection routines or data structures that are susceptible to this timing vulnerability. The fact that the chassisd daemon can also crash following line card failures indicates a cascade effect where the chassis management process encounters unexpected states when handling line card recovery.

Attack Vector

The attack requires local access to the Junos OS CLI with low-level privileges. An authenticated attacker positioned on the device can trigger the vulnerability through the following attack pattern:

The attacker repeatedly executes the show system firmware CLI command on an affected MX10k Series device. The rapid, repeated execution of this command triggers the race condition in the firmware statistics collection routine. The timing window between the check and use phases is exploited, causing memory corruption or inconsistent state access that leads to the LC480 or LC2101 line card crashing.

Following the line card crash, the chassisd process may subsequently crash due to encountering unexpected states during line card recovery operations. This results in a core dump being generated and further service disruption as the chassis management daemon restarts.

Detection Methods for CVE-2026-21912

Indicators of Compromise

  • Repeated or unusual execution patterns of the show system firmware CLI command in system logs
  • Unexpected LC480 or LC2101 line card resets without hardware or configuration changes
  • Core dumps generated by the chassisd daemon following line card failures
  • Increased frequency of FPC restart events correlated with user CLI activity

Detection Strategies

  • Monitor Junos OS system logs for excessive show system firmware command executions from non-administrative users
  • Implement alerting on unexpected line card reset events on MX10k Series devices with LC480 or LC2101 cards
  • Configure syslog forwarding to capture and analyze chassisd crash events and core dump generation
  • Deploy behavioral monitoring to detect anomalous CLI command patterns from user accounts

Monitoring Recommendations

  • Enable enhanced logging for CLI command execution auditing on all MX10k Series devices
  • Configure SNMP traps for FPC and line card state change events
  • Implement centralized log collection for correlation of command execution with hardware events
  • Review user access permissions and limit show system firmware access to trusted administrators

How to Mitigate CVE-2026-21912

Immediate Actions Required

  • Upgrade affected Junos OS installations to patched versions as specified in the Juniper advisory
  • Restrict CLI access to the show system firmware command to only trusted, high-privilege administrators
  • Monitor for unusual line card reset patterns on MX10k Series devices with LC480 or LC2101 cards
  • Implement access controls to limit local device access to authorized personnel only

Patch Information

Juniper Networks has released security updates to address this vulnerability. Organizations should upgrade to the following fixed versions based on their current deployment:

  • Upgrade to 21.2R3-S10 or later for the 21.2 release train
  • Upgrade to 21.4R3-S9 or later for the 21.4 release train
  • Upgrade to 22.2R3-S7 or later for the 22.2 release train
  • Upgrade to 22.4R3-S6 or later for the 22.4 release train
  • Upgrade to 23.2R2-S2 or later for the 23.2 release train
  • Upgrade to 23.4R2-S3 or later for the 23.4 release train
  • Upgrade to 24.2R2 or later for the 24.2 release train

For complete patch details and download links, refer to the Juniper Security Advisory JSA106011.

Workarounds

  • Implement CLI access controls using Junos OS login classes to restrict show system firmware command access
  • Configure AAA (Authentication, Authorization, and Accounting) to limit command authorization for low-privileged users
  • Consider using read-only user accounts with explicit command denials for firmware-related show commands
  • Implement rate limiting on CLI sessions to reduce the feasibility of rapid command execution attacks
bash
# Example: Restrict show system firmware command using login class
set system login class restricted-operator permissions view
set system login class restricted-operator deny-commands "show system firmware"
set system login user limited-user class restricted-operator

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeRace Condition
  • Vendor/TechJunos Os
  • SeverityMEDIUM
  • CVSS Score6.8
  • EPSS Probability0.01%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:M/U:Amber
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-367
  • Technical References
  • Juniper Security Advisory JSA106011
  • Juniper Support Portal JSA106011
  • Related CVEs
  • CVE-2025-30650: Juniper Junos OS Auth Bypass Vulnerability
  • CVE-2026-21920: Juniper Junos OS SRX Series DoS Flaw
  • CVE-2026-21903: Juniper Junos OS DoS Vulnerability
  • CVE-2026-21911: Junos OS Evolved L2CPD DoS Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English