Vulnerabilities ›

CVE-2026-21918

High

CWE-415 — Weakness Type

                    Published: Jan 15, 2026                      ·  Modified: Feb 28, 2026                      ·  Source: NVD                

CVSS v3

7.5

🔗 NVD Official

📄 Description (English)

A Double Free vulnerability in the flow processing daemon (flowd) of Juniper Networks Junos OS on SRX and MX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). On all SRX and MX Series platforms, when during TCP session establishment a specific sequence of packets is encountered a double free happens. This causes flowd to crash and the respective FPC to restart.

This issue affects Junos OS on SRX and MX Series:

* all versions before 22.4R3-S7,
* 23.2 versions before 23.2R2-S3,
* 23.4 versions before 23.4R2-S4,
* 24.2 versions before 24.2R2.

🤖 AI Executive Summary

A double free vulnerability in Juniper Networks Junos OS flow processing daemon (flowd) affects SRX and MX Series devices, allowing unauthenticated network-based attackers to trigger denial-of-service by sending a specific TCP packet sequence during session establishment. The vulnerability causes flowd to crash and triggers FPC restart, disrupting network operations. With CVSS 7.5 and no exploit currently available, this poses significant risk to critical network infrastructure in Saudi Arabia.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 3, 2026 21:37

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability directly impacts Saudi critical infrastructure sectors: (1) Banking & Financial Services (SAMA-regulated institutions) — SRX/MX devices are primary perimeter security for banking networks; (2) Government & Defense (NCA oversight) — widespread use in government network infrastructure; (3) Telecommunications (STC, Mobily, Zain) — core routing and security appliances; (4) Energy Sector (Saudi Aramco, SEC) — SRX/MX devices protecting SCADA and operational networks; (5) Healthcare — hospital network security. The DoS impact is severe as it causes complete device restart, disrupting all traffic through affected FPCs and potentially cascading failures in redundant network designs.

🏢 Affected Saudi Sectors

Banking & Financial Services Government & Defense Telecommunications Energy & Utilities Healthcare Critical Infrastructure

🎯 MITRE ATT&CK Techniques

T1499 - Endpoint Denial of Service T1499.004 - Application Exhaustion Flood T1561 - Disk Wipe T1529 - System Shutdown/Reboot T1565 - Data Manipulation

⚖️ Saudi Risk Score (AI)

8.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Inventory all Juniper SRX and MX Series devices in your network and document current Junos OS versions

2. Identify devices running vulnerable versions (pre-22.4R3-S7, 23.2 before 23.2R2-S3, 23.4 before 23.4R2-S4, 24.2 before 24.2R2)

3. Implement network segmentation to restrict TCP session establishment traffic to trusted sources only

PATCHING GUIDANCE:

1. Prioritize patching SRX/MX devices in the following order: perimeter firewalls, core routers, then internal security appliances

2. Apply patches in maintenance windows: upgrade to 22.4R3-S7 or later, 23.2R2-S3 or later, 23.4R2-S4 or later, or 24.2R2 or later

3. Test patches in lab environment first, particularly for devices with high traffic volumes

4. Plan for FPC restart during patching — coordinate with network operations to minimize impact

COMPENSATING CONTROLS (if immediate patching not possible):

1. Implement rate limiting on TCP SYN packets at upstream devices

2. Deploy TCP connection state tracking and anomaly detection

3. Configure device redundancy with automatic failover to unaffected FPCs

4. Monitor flowd process health and implement automated restart mechanisms

5. Restrict access to management interfaces to authorized personnel only

DETECTION RULES:

1. Monitor for flowd process crashes and FPC restarts in syslog: search for 'flowd.*crash' or 'FPC.*restart'

2. Alert on unusual TCP packet sequences during session establishment with malformed flags

3. Monitor for repeated connection resets from single source IPs

4. Track FPC restart frequency — baseline normal behavior and alert on anomalies

5. Implement NetFlow/sFlow monitoring to detect traffic patterns triggering the vulnerability

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. قم بحصر جميع أجهزة Juniper SRX و MX Series في شبكتك وتوثيق إصدارات نظام التشغيل Junos الحالية

2. حدد الأجهزة التي تعمل بإصدارات معرضة للخطر (قبل 22.4R3-S7، 23.2 قبل 23.2R2-S3، 23.4 قبل 23.4R2-S4، 24.2 قبل 24.2R2)

3. قم بتطبيق تقسيم الشبكة لتقييد حركة مرور إنشاء جلسة TCP إلى المصادر الموثوقة فقط

إرشادات التصحيح:

1. أولويات التصحيح لأجهزة SRX/MX بالترتيب التالي: جدران الحماية الحدودية، الموجهات الأساسية، ثم أجهزة الأمان الداخلية

2. تطبيق التصحيحات في نوافذ الصيانة: الترقية إلى 22.4R3-S7 أو أحدث، 23.2R2-S3 أو أحدث، 23.4R2-S4 أو أحدث، أو 24.2R2 أو أحدث

3. اختبر التصحيحات في بيئة المختبر أولاً، خاصة للأجهزة ذات أحجام حركة المرور العالية

4. خطط لإعادة تشغيل FPC أثناء التصحيح — تنسيق مع عمليات الشبكة لتقليل التأثير

الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):

1. تطبيق تحديد معدل على حزم TCP SYN في الأجهزة العلوية

2. نشر تتبع حالة اتصال TCP والكشف عن الشذوذ

3. تكوين تكرار الجهاز مع الفشل التلقائي إلى FPCs غير المتأثرة

4. مراقبة صحة عملية flowd وتطبيق آليات إعادة التشغيل الآلية

5. تقييد الوصول إلى واجهات الإدارة للموظفين المصرح لهم فقط

قواعد الكشف:

1. مراقبة انهيارات عملية flowd وإعادة تشغيل FPC في syslog: البحث عن 'flowd.*crash' أو 'FPC.*restart'

2. تنبيه على تسلسلات حزم TCP غير العادية أثناء إنشاء الجلسة مع أعلام مشوهة

3. مراقبة إعادة تعيين الاتصال المتكررة من عناوين IP مصدر واحدة

4. تتبع تكرار إعادة تشغيل FPC — خط أساس السلوك الطبيعي والتنبيه على الشذوذ

5. تطبيق مراقبة NetFlow/sFlow للكشف عن أنماط حركة المرور التي تشغل الثغرة

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.12.6.1 - Management of technical vulnerabilities ECC 2024 A.12.2.1 - Change management procedures ECC 2024 A.14.2.1 - Security requirements analysis and specification ECC 2024 A.16.1.5 - Response to information security incidents

🔵 SAMA CSF

SAMA CSF ID.RA-1 - Asset management and vulnerability identification SAMA CSF PR.IP-12 - Security patch management SAMA CSF DE.CM-1 - Detection and monitoring of anomalies SAMA CSF RS.RP-1 - Response planning and incident management

🟡 ISO 27001:2022

ISO 27001:2022 A.12.3.1 - Configuration management ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities ISO 27001:2022 A.14.2.1 - Security requirements for system development ISO 27001:2022 A.8.1.3 - Segregation of duties

🟣 PCI DSS v4.0.1

PCI DSS 6.2 - Security patches and updates PCI DSS 11.2 - Vulnerability scanning PCI DSS 12.3 - Security policy documentation

🔗 References & Sources 2

🔗

https://kb.juniper.net/JSA106018

sirt@juniper.net

Vendor Advisory

🔗

https://supportportal.juniper.net/JSA106018

sirt@juniper.net

Vendor Advisory

📦 Affected Products / CPE 34 entries

juniper:junos

juniper:junos:22.4

juniper:junos:23.2

juniper:junos:23.4

juniper:junos:24.2

📊 CVSS Score

7.5

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityN — None / Network

IntegrityN — None / Network

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.5

CWECWE-415

EPSS0.02%

Exploit No

Patch ✓ Yes

Published 2026-01-15

Source Feed nvd

🇸🇦 Saudi Risk Score

8.2

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

CWE-415

🏢 Vendor Advisories

🔗 https://kb.juniper.net/JSA106018 🔗 https://supportportal.juniper.net/JSA106018

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-21918

💬 Comments

Introduce Yourself

Sign In Required