CVE-2026-21918: Juniper Junos OS Double Free DoS Flaw

CVE-2026-21918 Overview

A Double Free vulnerability has been identified in the flow processing daemon (flowd) of Juniper Networks Junos OS on SRX and MX Series devices. This critical memory corruption flaw allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS) condition by sending a specific sequence of packets during TCP session establishment.

The vulnerability occurs when the flowd process encounters a particular packet sequence during TCP session setup, triggering a double free condition. This causes the flowd daemon to crash and forces the affected Flexible PIC Concentrator (FPC) to restart, disrupting network traffic processing and security services.

Critical Impact
Unauthenticated remote attackers can crash the flow processing daemon on Juniper SRX and MX Series devices, causing network service disruption and potential security policy bypass during the restart period.

Affected Products

Juniper Networks Junos OS on SRX Series - all versions before 22.4R3-S7
Juniper Networks Junos OS on MX Series - all versions before 22.4R3-S7
Juniper Networks Junos OS 23.2 versions before 23.2R2-S3
Juniper Networks Junos OS 23.4 versions before 23.4R2-S4
Juniper Networks Junos OS 24.2 versions before 24.2R2

Discovery Timeline

2026-01-15 - CVE-2026-21918 published to NVD
2026-01-16 - Last updated in NVD database

Technical Details for CVE-2026-21918

Vulnerability Analysis

This vulnerability is classified as CWE-415 (Double Free), a memory corruption issue where the same memory allocation is freed twice. In the context of the flowd daemon on Juniper SRX and MX Series devices, this occurs during TCP session establishment when processing network traffic flows.

The flowd process is responsible for handling flow-based packet processing, which is fundamental to firewall, NAT, and routing operations on these platforms. When exploited, the double free condition corrupts memory management structures, leading to an immediate crash of the daemon.

The impact extends beyond simple service disruption. During the FPC restart period, traffic processing is interrupted, and security policies may not be enforced. For devices serving as network perimeter security, this creates a window of vulnerability where traffic could bypass inspection.

Root Cause

The root cause is a double free condition in the flowd daemon's memory management during TCP session handling. When a specific sequence of packets is processed during TCP connection establishment, the code path incorrectly frees the same memory allocation twice. This corrupts the heap memory structures and results in daemon termination.

Double free vulnerabilities typically arise from improper tracking of memory ownership or race conditions in deallocation routines. In this case, the specific packet sequence triggers a code path where memory cleanup occurs prematurely, and subsequent processing attempts to free already-freed memory.

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker with network access to a vulnerable Juniper SRX or MX Series device can exploit this vulnerability by:

Initiating TCP session establishment with the target device
Sending a crafted sequence of packets during the handshake process
Triggering the double free condition in flowd
Causing the daemon to crash and the FPC to restart

The attack can be repeated to create sustained denial-of-service conditions, as each crash-restart cycle interrupts traffic processing. This is particularly impactful in high-availability deployments where the security gateway must maintain continuous operation.

Technical details regarding the specific packet sequence required to trigger this vulnerability should be obtained from the Juniper Security Advisory JSA106018.

Detection Methods for CVE-2026-21918

Indicators of Compromise

Unexpected flowd process crashes recorded in system logs
FPC restart events without administrative action or hardware failure
Multiple core dumps from the flowd daemon in /var/crash/
Repeated TCP session establishment failures from specific source IPs

Detection Strategies

Monitor system logs for flowd crash messages and FPC restart events using show log messages | match flowd
Configure SNMP traps for FPC state changes to detect restart conditions
Implement NetFlow or sFlow analysis to identify unusual TCP session patterns targeting the device
Review core dump files for double free signatures in memory debugging output

Monitoring Recommendations

Enable centralized logging for all SRX and MX Series devices to correlate crash events across the infrastructure
Configure alerting thresholds for FPC restart frequency to identify potential exploitation attempts
Deploy network monitoring to track TCP connection patterns and identify potential attack sources
Implement SentinelOne Singularity for network infrastructure visibility and anomaly detection

How to Mitigate CVE-2026-21918

Immediate Actions Required

Upgrade affected Junos OS installations to the fixed versions listed in the Juniper security advisory
Implement network access controls to limit TCP session initiation to trusted sources where possible
Monitor device logs and system health for signs of exploitation
Review high-availability configurations to ensure failover operates correctly during potential attacks

Patch Information

Juniper Networks has released patched versions of Junos OS that address this vulnerability. Organizations should upgrade to the following versions or later:

Junos OS 22.4R3-S7 or later for versions before 22.4
Junos OS 23.2R2-S3 or later for 23.2 branch
Junos OS 23.4R2-S4 or later for 23.4 branch
Junos OS 24.2R2 or later for 24.2 branch

For detailed patch information and download links, refer to the Juniper Security Advisory JSA106018.

Workarounds

Implement strict firewall rules to limit which source IP addresses can establish TCP sessions with management interfaces
Deploy intrusion prevention systems (IPS) upstream to filter malicious traffic patterns
Enable rate limiting for new TCP session establishment to reduce the impact of repeated exploitation attempts
Consider deploying devices in high-availability pairs to minimize service disruption during potential attacks

bash

# Example: Limit TCP session establishment to trusted management networks
# Add to firewall filter on loopback interface
set firewall family inet filter protect-re term allow-trusted from source-prefix-list trusted-mgmt
set firewall family inet filter protect-re term allow-trusted then accept
set firewall family inet filter protect-re term default then discard

CVE-2026-21918 Overview

Critical Impact
Unauthenticated remote attackers can crash the flow processing daemon on Juniper SRX and MX Series devices, causing network service disruption and potential security policy bypass during the restart period.

Affected Products

Juniper Networks Junos OS on SRX Series - all versions before 22.4R3-S7
Juniper Networks Junos OS on MX Series - all versions before 22.4R3-S7
Juniper Networks Junos OS 23.2 versions before 23.2R2-S3
Juniper Networks Junos OS 23.4 versions before 23.4R2-S4
Juniper Networks Junos OS 24.2 versions before 24.2R2

Discovery Timeline

2026-01-15 - CVE-2026-21918 published to NVD
2026-01-16 - Last updated in NVD database

Technical Details for CVE-2026-21918

Vulnerability Analysis

Root Cause

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker with network access to a vulnerable Juniper SRX or MX Series device can exploit this vulnerability by:

Initiating TCP session establishment with the target device
Sending a crafted sequence of packets during the handshake process
Triggering the double free condition in flowd
Causing the daemon to crash and the FPC to restart

Technical details regarding the specific packet sequence required to trigger this vulnerability should be obtained from the Juniper Security Advisory JSA106018.

Detection Methods for CVE-2026-21918

Indicators of Compromise

Unexpected flowd process crashes recorded in system logs
FPC restart events without administrative action or hardware failure
Multiple core dumps from the flowd daemon in /var/crash/
Repeated TCP session establishment failures from specific source IPs

Detection Strategies

Monitor system logs for flowd crash messages and FPC restart events using show log messages | match flowd
Configure SNMP traps for FPC state changes to detect restart conditions
Implement NetFlow or sFlow analysis to identify unusual TCP session patterns targeting the device
Review core dump files for double free signatures in memory debugging output

Monitoring Recommendations

Enable centralized logging for all SRX and MX Series devices to correlate crash events across the infrastructure
Configure alerting thresholds for FPC restart frequency to identify potential exploitation attempts
Deploy network monitoring to track TCP connection patterns and identify potential attack sources
Implement SentinelOne Singularity for network infrastructure visibility and anomaly detection

How to Mitigate CVE-2026-21918

Immediate Actions Required

Upgrade affected Junos OS installations to the fixed versions listed in the Juniper security advisory
Implement network access controls to limit TCP session initiation to trusted sources where possible
Monitor device logs and system health for signs of exploitation
Review high-availability configurations to ensure failover operates correctly during potential attacks

Patch Information

Juniper Networks has released patched versions of Junos OS that address this vulnerability. Organizations should upgrade to the following versions or later:

Junos OS 22.4R3-S7 or later for versions before 22.4
Junos OS 23.2R2-S3 or later for 23.2 branch
Junos OS 23.4R2-S4 or later for 23.4 branch
Junos OS 24.2R2 or later for 24.2 branch

For detailed patch information and download links, refer to the Juniper Security Advisory JSA106018.

Workarounds

Implement strict firewall rules to limit which source IP addresses can establish TCP sessions with management interfaces
Deploy intrusion prevention systems (IPS) upstream to filter malicious traffic patterns
Enable rate limiting for new TCP session establishment to reduce the impact of repeated exploitation attempts
Consider deploying devices in high-availability pairs to minimize service disruption during potential attacks

bash

# Example: Limit TCP session establishment to trusted management networks
# Add to firewall filter on loopback interface
set firewall family inet filter protect-re term allow-trusted from source-prefix-list trusted-mgmt
set firewall family inet filter protect-re term allow-trusted then accept
set firewall family inet filter protect-re term default then discard

CVE-2026-21918: Juniper Junos OS Double Free DoS Flaw

CVE-2026-21918 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-21918

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-21918

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-21918

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-21918: Juniper Junos OS Double Free DoS Flaw

CVE-2026-21918 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-21918

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-21918

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-21918

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform