CVE-2026-21913 Overview
An Incorrect Initialization of Resource vulnerability has been discovered in the Internal Device Manager (IDM) of Juniper Networks Junos OS affecting EX4000 series switches. This vulnerability allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS) condition on affected devices.
On EX4000 models with 48 ports (EX4000-48T, EX4000-48P, EX4000-48MP), a high volume of traffic destined to the device will cause an FXPC crash and restart, leading to a complete service outage until the device has automatically restarted.
Critical Impact
Unauthenticated attackers can remotely crash affected Juniper EX4000 switches with high-volume traffic, causing complete network service outages requiring automatic device restart.
Affected Products
- Juniper Networks Junos OS on EX4000-48T
- Juniper Networks Junos OS on EX4000-48P
- Juniper Networks Junos OS on EX4000-48MP
- Junos OS 24.4 versions before 24.4R2
- Junos OS 25.2 versions before 25.2R1-S2, 25.2R2
Discovery Timeline
- 2026-01-15 - CVE-2026-21913 published to NVD
- 2026-01-16 - Last updated in NVD database
Technical Details for CVE-2026-21913
Vulnerability Analysis
This vulnerability stems from an Incorrect Initialization of Resource issue within the Internal Device Manager (IDM) component of Junos OS. The IDM is responsible for managing internal device operations on EX4000 series switches. When the affected models receive a high volume of traffic destined directly to the device, the improperly initialized resources in the IDM fail to handle the load correctly.
The failure triggers a crash in the FXPC (Flexible PIC Concentrator) component, which is critical for packet forwarding and processing on the switch. The crash results in a watchdog timeout combined with a kernel panic, forcing the device to perform a core dump and restart automatically.
Administrators can identify if this vulnerability has been exploited by examining the output of show chassis routing-engine command or reviewing system logs for the following reboot reason:
reason=0x4000002 reason_string=0x4000002:watchdog + panic with core dump
It's important to note that versions prior to 24.4R1 are not affected, as this was the first Junos OS release supporting the EX4000 models.
Root Cause
The vulnerability is caused by incorrect initialization of resources within the Internal Device Manager (IDM) component. When the IDM processes a high volume of incoming traffic destined to the device itself, the improperly initialized resources lead to resource exhaustion or corruption, triggering the FXPC watchdog timer and causing a panic condition with a core dump.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending a high volume of network traffic directly to the management interface or any interface on the affected EX4000 switch. The attack does not require any special privileges or access to the device—only network reachability to the target switch.
The attacker floods the device with traffic, overwhelming the improperly initialized IDM resources. This causes the FXPC component to crash, resulting in a complete service outage. The device will automatically restart, but repeated attacks can cause sustained denial of service.
Detection Methods for CVE-2026-21913
Indicators of Compromise
- Unexpected device reboots with reason code 0x4000002 visible in show chassis routing-engine output
- Log entries containing reason_string=0x4000002:watchdog + panic with core dump
- Core dump files generated during FXPC crashes
- Sudden network connectivity loss on EX4000-48T, EX4000-48P, or EX4000-48MP switches
Detection Strategies
- Monitor system logs for watchdog timeout and panic messages with reason code 0x4000002
- Implement network traffic analysis to detect anomalous high-volume traffic patterns directed at switch management interfaces
- Configure SNMP traps or syslog alerts for unexpected device reboot events
- Review show chassis routing-engine output periodically for evidence of crash conditions
Monitoring Recommendations
- Enable centralized logging for all EX4000 series switches to capture reboot events and crash indicators
- Deploy network monitoring tools to baseline normal traffic levels and alert on significant deviations targeting switch interfaces
- Implement rate limiting on management interfaces where operationally feasible
- Create alerting rules for core dump generation events on affected devices
How to Mitigate CVE-2026-21913
Immediate Actions Required
- Identify all EX4000-48T, EX4000-48P, and EX4000-48MP switches in your environment running vulnerable Junos OS versions
- Review the Juniper Security Advisory JSA106014 for detailed remediation guidance
- Plan and schedule upgrades to patched Junos OS versions as soon as possible
- Implement network access controls to limit traffic reaching affected switch interfaces from untrusted sources
Patch Information
Juniper Networks has released patches addressing this vulnerability. Affected organizations should upgrade to the following fixed versions:
- For Junos OS 24.4 branch: Upgrade to 24.4R2 or later
- For Junos OS 25.2 branch: Upgrade to 25.2R1-S2 or 25.2R2 or later
Refer to the Juniper Knowledge Base article JSA106014 for detailed upgrade instructions and additional technical information.
Workarounds
- Implement access control lists (ACLs) or firewall filters to restrict traffic destined to switch management and control plane interfaces
- Deploy network-based rate limiting upstream of affected switches to reduce the volume of traffic that can reach the vulnerable devices
- Configure loopback filter policies to protect the routing engine from high-volume traffic floods
- Isolate switch management interfaces on dedicated management VLANs with strict access controls
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
