Description
A Stack-based Buffer Overflow vulnerability in the Packet Forwarding Engine (pfe) of Juniper Networks Junos OS allows a network-based attacker, authenticated with low privileges to cause a Denial-of-Service (DoS).



Subscribing to telemetry sensors at scale causes all FPC connections to drop, resulting in an FPC crash and restart.
The issue was not seen when YANG packages for the specific sensors were installed.



This issue affects Junos OS: 



* all versions before 22.4R3-S7,
* 23.2 version before 23.2R2-S4,
* 23.4 versions before 23.4R2.
Published: 2026-01-15
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service caused by a stack‑based buffer overflow that crashes all packet forwarding engine connections when telemetry sensors are subscribed at scale
Action: Apply Patch
AI Analysis

Impact

A stack‑based buffer overflow exists in the Packet Forwarding Engine of Junos OS. When an attacker subscribes to telemetry sensors at a large scale, all FPC connections drop, the FPC crashes, and the device restarts, resulting in a denial‑of‑service condition. The problem is triggered by low‑privilege, network‑based attackers and does not grant code execution, but it can disrupt network services.

Affected Systems

The vulnerability affects Juniper Networks Junos OS, specifically all releases before 22.4R3‑S7, before 23.2R2‑S4, and before 23.4R2. Devices running those versions are susceptible to the crash when they subscribe to telemetry sensors.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate severity, while the EPSS score of less than 1 % shows a very low probability of exploitation at the current time. The issue is not listed in the CISA Known Exploited Vulnerabilities catalog, and no workaround exists. The likely attack vector is inferred to be network‑based through the subscription of telemetry sensors, and an attacker only needs low‑privilege access to trigger the denial of service.

Generated by OpenCVE AI on April 18, 2026 at 16:09 UTC.

Remediation

Vendor Solution

The following software releases have been updated to resolve this specific issue: 22.4R3-S7, 23.2R2-S4, 23.4R2, 24.2R1, and all subsequent releases.

Vendor Workaround

There are no known workarounds for this issue.

OpenCVE Recommended Actions

  • Apply the latest Junos OS releases that contain the fix—22.4R3‑S7, 23.2R2‑S4, 23.4R2, 24.2R1, or later—to all affected devices
  • Limit or disable telemetry sensor subscriptions until all devices are patched to mitigate the denial‑of‑service risk
  • Configure access controls so that only authorized high‑privilege users can subscribe to telemetry sensors at scale.

Generated by OpenCVE AI on April 18, 2026 at 16:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 23 Jan 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Juniper
Juniper junos
CPEs cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:-:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r1-s1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r1-s2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r2-s1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r2-s2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r3-s1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r3-s2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r3-s3:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r3-s4:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r3-s5:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r3-s6:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r3:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.2:-:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.2:r1-s1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.2:r1-s2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.2:r1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.2:r2-s1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.2:r2-s2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.2:r2-s3:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.2:r2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.4:-:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.4:r1-s1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.4:r1-s2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.4:r1:*:*:*:*:*:*
Vendors & Products Juniper
Juniper junos

Fri, 16 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Juniper Networks
Juniper Networks junos Os
Vendors & Products Juniper Networks
Juniper Networks junos Os

Thu, 15 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 15 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
Description A Stack-based Buffer Overflow vulnerability in the Packet Forwarding Engine (pfe) of Juniper Networks Junos OS allows a network-based attacker, authenticated with low privileges to cause a Denial-of-Service (DoS). Subscribing to telemetry sensors at scale causes all FPC connections to drop, resulting in an FPC crash and restart. The issue was not seen when YANG packages for the specific sensors were installed. This issue affects Junos OS:  * all versions before 22.4R3-S7, * 23.2 version before 23.2R2-S4, * 23.4 versions before 23.4R2.
Title Junos OS: Subscribing to telemetry sensors at scale causes all FPCs to crash
Weaknesses CWE-121
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L'}

Subscriptions

Juniper Junos
Juniper Networks Junos Os
cve-icon MITRE

Status: PUBLISHED

Assigner: juniper

Published:

Updated: 2026-01-15T21:12:08.631Z

Reserved: 2026-01-05T17:32:48.709Z

Link: CVE-2026-21903

cve-icon Vulnrichment

Updated: 2026-01-15T21:12:05.572Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-15T21:16:05.807

Modified: 2026-01-23T19:40:03.190

Link: CVE-2026-21903

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:15:04Z

Weaknesses