Vulnerabilities ›

CVE-2026-21905

High

CWE-835 — Weakness Type

                    Published: Jan 15, 2026                      ·  Modified: Feb 28, 2026                      ·  Source: NVD                

CVSS v3

7.5

🔗 NVD Official

📄 Description (English)

A Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in the SIP application layer gateway (ALG) of Juniper Networks Junos OS on SRX Series and MX Series with MX-SPC3 or MS-MPC allows an unauthenticated network-based attacker sending specific SIP messages over TCP to crash the flow management process, leading to a Denial of Service (DoS).

On SRX Series, and MX Series with MX-SPC3 or MS-MPC service cards, receipt of multiple SIP messages causes the SIP headers to be parsed incorrectly, eventually causing a continuous loop and leading to a watchdog timer expiration, crashing the flowd process on SRX Series and MX Series with MX-SPC3, or mspmand process on MX Series with MS-MPC.

This issue only occurs over TCP. SIP messages sent over UDP cannot trigger this issue.

This issue affects Junos OS on SRX Series and MX Series with MX-SPC3 and MS-MPC:

* all versions before 21.2R3-S10,
* from 21.4 before 21.4R3-S12,
* from 22.4 before 22.4R3-S8,
* from 23.2 before 23.2R2-S5,
* from 23.4 before 23.4R2-S6,
* from 24.2 before 24.2R2-S3,
* from 24.4 before 24.4R2-S1,
* from 25.2 before 25.2R1-S1, 25.2R2.

🤖 AI Executive Summary

A critical Denial of Service vulnerability exists in Juniper Networks Junos OS SIP application layer gateway affecting SRX and MX Series devices. Unauthenticated attackers can send malformed SIP messages over TCP to trigger an infinite loop, crashing the flow management process and disrupting network operations. This vulnerability poses significant risk to Saudi telecommunications and financial infrastructure that rely on Juniper equipment for session border control and network security.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 3, 2026 19:28

🇸🇦 Saudi Arabia Impact Assessment

High impact on Saudi telecommunications sector (STC, Mobily, Zain) which heavily utilize Juniper SRX/MX devices for session border control and VoIP gateway functions. Banking sector (SAMA-regulated institutions) using Juniper equipment for secure network infrastructure faces service disruption risks. Government entities and critical infrastructure operators (energy sector, ARAMCO networks) relying on these devices for network segmentation and DDoS mitigation are vulnerable. The attack requires no authentication and can be launched remotely, making it particularly dangerous for border gateway and peering point protection.

🏢 Affected Saudi Sectors

Telecommunications (STC, Mobily, Zain) Banking and Financial Services Government and Public Administration Energy and Utilities (ARAMCO, SEC) Healthcare Critical Infrastructure

🎯 MITRE ATT&CK Techniques

T1499 - Endpoint Denial of Service T1499.004 - Application Exhaustion Flood T1561 - Disk Wipe T1529 - System Shutdown/Reboot

⚖️ Saudi Risk Score (AI)

8.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all SRX Series and MX Series devices with MX-SPC3 or MS-MPC cards in your environment

2. Implement TCP-level filtering to restrict SIP traffic (port 5060/5061) to trusted sources only

3. Disable SIP ALG functionality if not required for business operations

4. Monitor flowd and mspmand process stability using Juniper monitoring tools



PATCHING GUIDANCE:

1. Upgrade to patched versions: 21.2R3-S10 or later, 21.4R3-S12 or later, 22.4R3-S8 or later, 23.2R2-S5 or later, 23.4R2-S6 or later, 24.2R2-S3 or later, 24.4R2-S1 or later, or 25.2R1-S1/25.2R2

2. Schedule maintenance windows for device upgrades

3. Test patches in lab environment before production deployment

4. Maintain device redundancy during patching to ensure service continuity



COMPENSATING CONTROLS (if patching delayed):

1. Implement rate limiting on SIP TCP connections at upstream devices

2. Deploy IDS/IPS rules to detect malformed SIP headers

3. Configure connection timeouts for SIP TCP sessions

4. Implement geographic/source-based access controls for SIP traffic

5. Enable syslog monitoring for flowd/mspmand process crashes



DETECTION RULES:

1. Monitor for repeated SIP messages with malformed headers on TCP port 5060/5061

2. Alert on flowd process restarts or mspmand process crashes

3. Track TCP SIP connection patterns showing rapid message sequences

4. Monitor CPU and memory spikes on SRX/MX devices during SIP processing

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع أجهزة SRX Series و MX Series مع بطاقات MX-SPC3 أو MS-MPC في بيئتك

2. تطبيق تصفية على مستوى TCP لتقييد حركة SIP (المنفذ 5060/5061) للمصادر الموثوقة فقط

3. تعطيل وظيفة SIP ALG إذا لم تكن مطلوبة للعمليات التجارية

4. مراقبة استقرار عملية flowd و mspmand باستخدام أدوات مراقبة Juniper

إرشادات التصحيح:

1. الترقية إلى الإصدارات المصححة: 21.2R3-S10 أو أحدث، 21.4R3-S12 أو أحدث، 22.4R3-S8 أو أحدث، 23.2R2-S5 أو أحدث، 23.4R2-S6 أو أحدث، 24.2R2-S3 أو أحدث، 24.4R2-S1 أو أحدث، أو 25.2R1-S1/25.2R2

2. جدولة نوافذ الصيانة لترقيات الأجهزة

3. اختبار التصحيحات في بيئة المختبر قبل نشرها في الإنتاج

4. الحفاظ على تكرار الأجهزة أثناء التصحيح لضمان استمرارية الخدمة

الضوابط البديلة (إذا تأخر التصحيح):

1. تطبيق تحديد معدل على اتصالات SIP TCP على الأجهزة العلوية

2. نشر قواعس IDS/IPS للكشف عن رؤوس SIP المشوهة

3. تكوين انتهاء المهلة الزمنية لجلسات SIP TCP

4. تطبيق عناصر تحكم الوصول القائمة على الجغرافيا/المصدر لحركة SIP

5. تفعيل مراقبة syslog لأعطال عملية flowd/mspmand

قواعد الكشف:

1. مراقبة رسائل SIP المتكررة برؤوس مشوهة على منفذ TCP 5060/5061

2. التنبيه على إعادة تشغيل عملية flowd أو أعطال عملية mspmand

3. تتبع أنماط اتصال SIP على TCP التي تظهر تسلسلات رسائل سريعة

4. مراقبة ارتفاعات CPU والذاكرة على أجهزة SRX/MX أثناء معالجة SIP

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.12.6.1 - Management of technical vulnerabilities ECC 2024 A.12.2.1 - Change management procedures ECC 2024 A.14.2.1 - Secure development policy ECC 2024 A.16.1.5 - Response to information security incidents

🔵 SAMA CSF

SAMA CSF ID.BE-1 - Asset management SAMA CSF PR.IP-12 - Security patch management SAMA CSF DE.CM-8 - Malicious code detection SAMA CSF RS.MI-2 - Incident response and management

🟡 ISO 27001:2022

ISO 27001:2022 A.12.3.1 - Configuration management ISO 27001:2022 A.14.2.1 - Secure development policy ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities ISO 27001:2022 A.16.1.5 - Response to information security incidents

🟣 PCI DSS v4.0.1

PCI DSS 6.2 - Security patches and updates PCI DSS 11.2 - Vulnerability scanning PCI DSS 12.3 - Security policy documentation

🔗 References & Sources 2

🔗

https://kb.juniper.net/JSA106004

sirt@juniper.net

Vendor Advisory

🔗

https://supportportal.juniper.net/JSA106004

sirt@juniper.net

Vendor Advisory

📦 Affected Products / CPE 50 entries

juniper:junos

juniper:junos:21.2

juniper:junos:21.4

juniper:junos:22.4

📊 CVSS Score

7.5

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityN — None / Network

IntegrityN — None / Network

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.5

CWECWE-835

EPSS0.02%

Exploit No

Patch ✓ Yes

Published 2026-01-15

Source Feed nvd

🇸🇦 Saudi Risk Score

8.2

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-835

🏢 Vendor Advisories

🔗 https://kb.juniper.net/JSA106004 🔗 https://supportportal.juniper.net/JSA106004

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-21905

💬 Comments

Introduce Yourself

Sign In Required