CVE-2026-21918: Juniper Junos DoS Vulnerability

CVE-2026-21918 Overview

CVE-2026-21918 is a double free vulnerability [CWE-415] in the flow processing daemon (flowd) of Juniper Networks Junos OS running on SRX Series and MX Series platforms. An unauthenticated, network-based attacker can trigger the flaw by sending a specific sequence of packets during TCP session establishment. The condition causes flowd to crash and the affected Flexible PIC Concentrator (FPC) to restart, producing a Denial-of-Service (DoS) on the device.

Critical Impact
Remote, unauthenticated attackers can crash the flow processing daemon and force an FPC restart on Juniper SRX and MX Series devices, disrupting traffic forwarding and stateful firewall services.

Affected Products

Juniper Junos OS on SRX Series: all versions before 22.4R3-S7, 23.2 versions before 23.2R2-S3, 23.4 versions before 23.4R2-S4, and 24.2 versions before 24.2R2.
Juniper Junos OS on MX Series: same version ranges as above, covering models including MX204, MX240, MX304, MX480, MX960, MX2008, MX2010, MX2020, MX10004, and MX10008.
SRX Series hardware: SRX300, SRX320, SRX340, SRX345, SRX380, SRX1500, SRX1600, SRX2300, SRX4100, SRX4120, SRX4200, SRX4300, SRX4600, SRX4700, SRX5400, SRX5600, SRX5800.

Discovery Timeline

2026-01-15 - CVE-2026-21918 published to NVD
2026-01-23 - Last updated in NVD database

Technical Details for CVE-2026-21918

Vulnerability Analysis

The vulnerability resides in flowd, the user-space daemon on Junos OS that handles stateful packet flow processing on SRX and MX Series platforms. During TCP session establishment, a specific packet sequence triggers a double free condition in the daemon's session-handling code path. When the same memory region is released twice, the daemon's heap state becomes inconsistent, leading to a crash. The crash cascades to the FPC hosting the daemon, forcing an FPC restart and interrupting traffic forwarded through that component. Because the trigger requires only a crafted packet sequence reaching the device, no authentication or user interaction is needed.

Root Cause

The defect is a double free [CWE-415] in the TCP session establishment logic. The code path frees a buffer associated with the in-progress session and, under a specific packet sequence, frees the same pointer a second time without nulling it or re-validating ownership. This violates heap allocator invariants and aborts the process.

Attack Vector

An attacker sends a crafted TCP handshake sequence to any interface or service that subjects traffic to flowd processing. Repeated triggering produces a sustained DoS by continuously restarting the FPC. The issue does not require credentials, configuration changes, or local access.

No public exploit code is available for CVE-2026-21918. The vulnerability is described in Juniper Security Advisory JSA106018 and was not generated synthetically here because verified proof-of-concept code has not been released.

Detection Methods for CVE-2026-21918

Indicators of Compromise

Unexpected flowd process crashes recorded in /var/log/messages or chassis logs, accompanied by core files attributed to flowd.
FPC restart events correlated with inbound TCP traffic spikes from a small set of source addresses.
Brief, repeating traffic blackouts on flows traversing the affected FPC, with session table resets visible in show security flow session output.

Detection Strategies

Monitor Junos syslog for flowd daemon termination, core dump generation, and FPC reboot messages, then correlate with upstream packet captures.
Inspect SNMP traps and chassis alarms for repeated FPC resets, which on healthy hardware are rare events.
Use NetFlow or sFlow telemetry to identify anomalous short-lived TCP handshakes immediately preceding daemon crashes.

Monitoring Recommendations

Centralize Junos system logs into a SIEM and alert on patterns matching flowd restarts or kernel-reported daemon failures.
Baseline normal FPC uptime and trigger alerts when an FPC reboots without an operator-initiated change.
Track inbound TCP SYN volume per source against historical norms to surface probing activity targeting the flaw.

How to Mitigate CVE-2026-21918

Immediate Actions Required

Upgrade Junos OS to a fixed release: 22.4R3-S7, 23.2R2-S3, 23.4R2-S4, 24.2R2, or later as published in the Juniper advisory.
Inventory all SRX and MX Series devices and confirm running versions with show version before scheduling upgrades.
Restrict exposure of management and transit interfaces to untrusted networks while patching is in progress.

Patch Information

Juniper Networks has released fixed software addressing CVE-2026-21918. Refer to Juniper Security Advisory JSA106018 and the Juniper Support Portal advisory for the complete list of fixed releases and upgrade guidance for each affected platform.

Workarounds

Apply ingress filtering with firewall filters or screens to drop malformed or unexpected TCP handshake sequences before they reach flowd.
Use control-plane and loopback filters to limit which sources can initiate TCP sessions terminating on the device.
Enable robust logging on FPC restart events to enable rapid identification and source attribution if the device is targeted.

bash

# Configuration example: verify current Junos version before upgrade
show version | match "Junos:"

# Example firewall filter stanza to limit TCP exposure on an untrusted interface
set firewall family inet filter PROTECT-FLOWD term LIMIT-TCP from protocol tcp
set firewall family inet filter PROTECT-FLOWD term LIMIT-TCP from source-address <trusted-prefix>
set firewall family inet filter PROTECT-FLOWD term LIMIT-TCP then accept
set firewall family inet filter PROTECT-FLOWD term DEFAULT then discard
set interfaces <ifname> unit 0 family inet filter input PROTECT-FLOWD