Description
A NULL Pointer Dereference vulnerability in the management daemon (mgd) of Juniper Networks Junos OS and Junos OS Evolved allows a local, high-privileged attacker setting or deactivating a specific SSH configuration parameter to create a Denial of Service (DoS).

A local high-privileged user configuring or deactivating a specific 'system services ssh' configuration parameter can exploit a null pointer dereference in one of the functions used by SSH. The function attempts to dereference a null pointer when accessing certain configuration data, resulting in an mgd process crash and restart. Continued execution of these configuration commands will create a sustained Denial of Service (DoS) condition.

This issue affects:
Junos OS:


* from 22.3 before 22.3R3-S5;
* from 22.4 before 22.4R3-S10;
* from 23.2 before 23.2R2-S7;
* from 23.4 before 23.4R2-S8.




This issue does not affect Junos OS before 22.3R1.



Junos OS Evolved:
* from 22.3R1-EVO before 23.2R2-S7-EVO;
* from 23.4 before 23.4R2-S8-EVO.


This issue does not affect Junos OS Evolved before 22.3R1-EVO.
Published: 2026-07-09
Score: 6.7 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

No analysis available yet.

Remediation

Vendor Solution

The following software releases have been updated to resolve this specific issue: Junos OS: 22.3R3-S5, 22.4R3-S10, 23.2R2-S7, 23.4R2-S8, 24.2R1, and all subsequent releases. Junos OS Evolved: 23.2R2-S7-EVO, 23.4R2-S8-EVO, 24.2R1-EVO, and all subsequent releases.


Vendor Workaround

There are no direct workarounds for this issue. One of the following mitigations will prevent malicious exploitation: * Use access lists or firewall filters to limit access to the CLI only from trusted hosts and administrators. * Utilize command authorization to limit the ability to enter config mode to trusted administrators.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Jul 2026 21:15:00 +0000

Type Values Removed Values Added
Description A NULL Pointer Dereference vulnerability in the management daemon (mgd) of Juniper Networks Junos OS and Junos OS Evolved allows a local, high-privileged attacker setting or deactivating a specific SSH configuration parameter to create a Denial of Service (DoS). A local high-privileged user configuring or deactivating a specific 'system services ssh' configuration parameter can exploit a null pointer dereference in one of the functions used by SSH. The function attempts to dereference a null pointer when accessing certain configuration data, resulting in an mgd process crash and restart. Continued execution of these configuration commands will create a sustained Denial of Service (DoS) condition. This issue affects: Junos OS: * from 22.3 before 22.3R3-S5; * from 22.4 before 22.4R3-S10; * from 23.2 before 23.2R2-S7; * from 23.4 before 23.4R2-S8. This issue does not affect Junos OS before 22.3R1. Junos OS Evolved: * from 22.3R1-EVO before 23.2R2-S7-EVO; * from 23.4 before 23.4R2-S8-EVO. This issue does not affect Junos OS Evolved before 22.3R1-EVO.
Title Junos OS and Junos OS Evolved: Configuration of a specific SSH option results in mgd crash
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6.7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/AU:Y/R:A/V:D/RE:M/U:Green'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: juniper

Published:

Updated: 2026-07-09T21:01:31.334Z

Reserved: 2026-01-05T17:32:48.709Z

Link: CVE-2026-21901

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses