CVE-2026-21909
Published: Jan 15, 2026
Modified: Jan 15, 2026
CVSS v3.1
6.5
Description
A Missing Release of Memory after Effective Lifetime vulnerability in the routing protocol daemon (rpd) Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated attacker controlling an adjacent IS-IS neighbor to send a specific update packet causing a memory leak. Continued receipt and processing of these packets will exhaust all available memory, crashing rpd and creating a Denial of Service (DoS) condition. Memory usage can be monitored through the use of the 'show task memory detail' command. For example: user@junos> show task memory detail | match ted-infra TED-INFRA-COOKIE 25 1072 28 1184 229 user@junos> show task memory detail | match ted-infra TED-INFRA-COOKIE 31 1360 34 1472 307 This issue affects: Junos OS: * from 23.2 before 23.2R2, * from 23.4 before 23.4R1-S2, 23.4R2, * from 24.1 before 24.1R2; Junos OS Evolved: * from 23.2 before 23.2R2-EVO, * from 23.4 before 23.4R1-S2-EVO, 23.4R2-EVO, * from 24.1 before 24.1R2-EVO. This issue does not affect Junos OS versions before 23.2R1 or Junos OS Evolved versions before 23.2R1-EVO.
| Vendor | Product | Versions |
|---|---|---|
Juniper Networks | Junos OS | affected 23.2 - < 23.2R2affected 23.4 - < 23.4R1-S2, 23.4R2affected 24.1 - < 24.1R2unaffected 0 - < 23.2R1 |
Juniper Networks | Junos OS Evolved | affected 23.2 - < 23.2R2-EVOaffected 23.4 - < 23.4R1-S2-EVO, 23.4R2-EVOaffected 24.1 - < 24.1R2-EVOunaffected 0 - < 23.2R1-EVO |
Weaknesses (CWE)
CVSS v3.1 Details
CVSS v3.1 Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now