الثغرات ›

CVE-2026-21906

مرتفع

CWE-755 — نوع الضعف

                    نُشر: Jan 15, 2026                      ·  آخر تحديث: Feb 28, 2026                      ·  المصدر: NVD                

CVSS v3

7.5

🔗 NVD الرسمي

📄 الوصف (الإنجليزية)

An Improper Handling of Exceptional Conditions vulnerability in the packet forwarding engine (PFE) of Juniper Networks Junos OS on SRX Series allows an unauthenticated network-based attacker sending a specific ICMP packet through a GRE tunnel to cause the PFE to crash and restart.

When PowerMode IPsec (PMI) and GRE performance acceleration are enabled and the device receives a specific ICMP packet, a crash occurs in the SRX PFE, resulting in traffic loss. PMI is enabled by default, and GRE performance acceleration can be enabled by running the configuration command shown below. PMI is a mode of operation that provides IPsec performance improvements using Vector Packet Processing.

Note that PMI with GRE performance acceleration is only supported on specific SRX platforms.
This issue affects Junos OS on the SRX Series:

* all versions before 21.4R3-S12,
* from 22.4 before 22.4R3-S8,
* from 23.2 before 23.2R2-S5,
* from 23.4 before 23.4R2-S5,
* from 24.2 before 24.2R2-S3,
* from 24.4 before 24.4R2-S1,
* from 25.2 before 25.2R1-S1, 25.2R2.

🤖 ملخص AI

A denial-of-service vulnerability in Juniper SRX Series firewalls allows unauthenticated attackers to crash the packet forwarding engine (PFE) by sending a specific ICMP packet through a GRE tunnel when PowerMode IPsec and GRE performance acceleration are enabled. This results in immediate traffic loss and service disruption. The vulnerability affects multiple Junos OS versions and requires urgent patching for organizations using SRX devices in production environments.

📄 الوصف (العربية)

🤖 التحليل الذكي آخر تحليل: May 3, 2026 21:37

🇸🇦 التأثير على المملكة العربية السعودية

This vulnerability poses significant risk to Saudi critical infrastructure sectors: (1) Banking & Financial Services (SAMA-regulated institutions) relying on SRX firewalls for network perimeter security and IPsec VPN termination; (2) Government agencies (NCA, CITC oversight) using SRX devices for secure communications; (3) Energy sector (Saudi Aramco, utilities) dependent on SRX for SCADA/ICS network protection; (4) Telecommunications (STC, Mobily) using SRX for carrier-grade security; (5) Healthcare institutions requiring continuous network availability. The DoS impact is severe as SRX devices are typically core network infrastructure components. Organizations with GRE tunnels and PMI enabled face immediate traffic loss during attacks.

🏢 القطاعات السعودية المتأثرة

Banking & Financial Services Government & Public Administration Energy & Utilities Telecommunications Healthcare Critical Infrastructure

🎯 تقنيات MITRE ATT&CK

T1499 - Endpoint Denial of Service T1499.004 - Application Exhaustion Flood T1561 - Disk Wipe T1529 - System Shutdown/Reboot

⚖️ درجة المخاطر السعودية (AI)

8.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Verify if GRE performance acceleration is enabled: run 'show configuration system services' and check for 'gre-performance-acceleration' setting

2. Verify PowerMode IPsec status: check 'show system information | grep PowerMode'

3. If both features are enabled, implement emergency mitigation immediately

PATCHING GUIDANCE:

1. Prioritize upgrading to patched versions: 21.4R3-S12, 22.4R3-S8, 23.2R2-S5, 23.4R2-S5, 24.2R2-S3, 24.4R2-S1, 25.2R1-S1, or 25.2R2

2. Schedule maintenance windows for SRX upgrades (typically 30-60 minutes per device)

3. Test patches in lab environment first with GRE+PMI configuration

4. Maintain rollback plan to previous stable version

COMPENSATING CONTROLS (if immediate patching not possible):

1. Disable GRE performance acceleration: 'delete system services gre-performance-acceleration'

2. Implement ICMP rate limiting on SRX: 'set firewall filter ICMP-LIMIT term LIMIT from protocol icmp; set firewall filter ICMP-LIMIT term LIMIT then count ICMP-DROP; set firewall filter ICMP-LIMIT term LIMIT then policer ICMP-RATE; set firewall filter ICMP-LIMIT term ALLOW then accept'

3. Restrict GRE tunnel sources to known legitimate endpoints using firewall filters

4. Monitor PFE restart events: 'show system core-dumps' and 'show log messages | grep PFE'

5. Enable SNMP traps for PFE crashes for real-time alerting

DETECTION RULES:

1. Monitor for PFE restarts: Alert if 'show system uptime' shows PFE restart time differs from RE uptime

2. Syslog monitoring: Alert on 'PFE restart' or 'Packet Forwarding Engine restarted' messages

3. NetFlow/sFlow: Monitor for sudden traffic drops correlating with ICMP packet patterns

4. SNMP monitoring: Track 'jnxPfeRestarts' OID for anomalous restart patterns

5. Firewall log analysis: Correlate ICMP packets through GRE tunnels with PFE restart events

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحقق من تفعيل تسريع أداء GRE: قم بتشغيل 'show configuration system services' والتحقق من إعداد 'gre-performance-acceleration'

2. تحقق من حالة PowerMode IPsec: تحقق من 'show system information | grep PowerMode'

3. إذا كانت كلا الميزتين مفعلتين، قم بتطبيق التخفيف الطارئ فورًا

إرشادات التصحيح:

1. أولويات الترقية إلى الإصدارات المصححة: 21.4R3-S12 أو 22.4R3-S8 أو 23.2R2-S5 أو 23.4R2-S5 أو 24.2R2-S3 أو 24.4R2-S1 أو 25.2R1-S1 أو 25.2R2

2. جدولة نوافذ الصيانة لترقيات SRX (عادة 30-60 دقيقة لكل جهاز)

3. اختبر التصحيحات في بيئة المختبر أولاً باستخدام تكوين GRE+PMI

4. حافظ على خطة الرجوع إلى الإصدار السابق المستقر

الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكنًا):

1. تعطيل تسريع أداء GRE: 'delete system services gre-performance-acceleration'

2. تطبيق تحديد معدل ICMP على SRX

3. تقييد مصادر نفق GRE إلى نقاط نهاية شرعية معروفة

4. مراقبة أحداث إعادة تشغيل PFE

5. تفعيل فخاخ SNMP لأعطال PFE للتنبيهات الفورية

قواعد الكشف:

1. مراقبة إعادة تشغيل PFE: تنبيه إذا أظهرت 'show system uptime' اختلافًا في وقت إعادة تشغيل PFE

2. مراقبة Syslog: تنبيه على رسائل 'PFE restart'

3. مراقبة NetFlow/sFlow: راقب أنماط حركة ICMP المفاجئة عبر أنفاق GRE

4. مراقبة SNMP: تتبع OID 'jnxPfeRestarts' للأنماط غير الطبيعية

5. تحليل سجلات جدار الحماية: ربط حزم ICMP عبر أنفاق GRE مع أحداث إعادة تشغيل PFE

📋 خريطة الامتثال التنظيمي

🟢 NCA ECC 2024

ECC 2024 A.12.6.1 - Management of technical vulnerabilities ECC 2024 A.12.2.1 - Change management procedures ECC 2024 A.13.1.3 - Segregation of networks ECC 2024 A.14.2.1 - Incident management procedures

🔵 SAMA CSF

SAMA CSF ID.RA-1 - Asset management and vulnerability identification SAMA CSF PR.IP-12 - Security patch management SAMA CSF DE.CM-1 - Network monitoring and anomaly detection SAMA CSF RS.MI-1 - Incident response and mitigation

🟡 ISO 27001:2022

ISO 27001:2022 A.12.3.1 - Configuration management ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities ISO 27001:2022 A.14.2.1 - Incident management ISO 27001:2022 A.8.1.1 - Inventory of assets

🟣 PCI DSS v4.0.1

PCI DSS 6.2 - Security patch management PCI DSS 11.2 - Vulnerability scanning PCI DSS 12.2 - Configuration standards

🔗 المراجع والمصادر 3

🔗

https://kb.juniper.net/JSA106005

sirt@juniper.net

Vendor Advisory

🔗

https://supportportal.juniper.net/JSA106005

sirt@juniper.net

Vendor Advisory

🔗

https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic-map/s...

sirt@juniper.net

Technical Description

📦 المنتجات المتأثرة 50 منتج

juniper:junos

juniper:junos:21.4

juniper:junos:22.4

juniper:junos:23.2

juniper:junos:23.4

📊 CVSS Score

7.5

/ 10.0 — مرتفع

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityN — None / Network

IntegrityN — None / Network

AvailabilityH — High

📋 حقائق سريعة

الخطورة مرتفع

CVSS Score7.5

CWECWE-755

EPSS0.02%

اختراق متاح لا

تصحيح متاح ✓ نعم

تاريخ النشر 2026-01-15

المصدر nvd

المشاهدات 6

🇸🇦 درجة المخاطر السعودية

8.2

/ 10.0 — مخاطر السعودية

أولوية: CRITICAL

🏷️ الوسوم

CWE-755

🏢 توجيهات البائع

🔗 https://kb.juniper.net/JSA106005 🔗 https://supportportal.juniper.net/JSA106005

⚡ إجراءات

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 التعليقات

جارٍ التحميل

CVE-2026-21906

💬 التعليقات

عرّفنا بنفسك

تسجيل الدخول مطلوب