Description
An Improper Handling of Exceptional Conditions vulnerability in the packet forwarding engine (PFE) of Juniper Networks Junos OS on SRX Series allows an unauthenticated network-based attacker sending a specific ICMP packet through a GRE tunnel to cause the PFE to crash and restart.

When PowerMode IPsec (PMI) and GRE performance acceleration are enabled and the device receives a specific ICMP packet, a crash occurs in the SRX PFE, resulting in traffic loss. PMI is enabled by default, and GRE performance acceleration can be enabled by running the configuration command shown below. PMI is a mode of operation that provides IPsec performance improvements using Vector Packet Processing.

Note that PMI with GRE performance acceleration is only supported on specific SRX platforms.
This issue affects Junos OS on the SRX Series:



* all versions before 21.4R3-S12, 
* from 22.4 before 22.4R3-S8, 
* from 23.2 before 23.2R2-S5, 
* from 23.4 before 23.4R2-S5, 
* from 24.2 before 24.2R2-S3, 
* from 24.4 before 24.4R2-S1, 
* from 25.2 before 25.2R1-S1, 25.2R2.
Published: 2026-01-15
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: PFE crash leading to traffic loss (Denial of Service)
Action: Immediate Patch
AI Analysis

Impact

An improper handling of exceptional conditions in the packet forwarding engine (PFE) of Juniper Junos OS on SRX Series causes the PFE to crash when a specific ICMP packet is received through a GRE tunnel enabled with Performance Mode IPsec (PMI). The crash restarts the PFE, resulting in loss of traffic forwarded through the device. The flaw is a local network‑based interruption that can degrade or deny service to all flows handled by the affected SRX system.

Affected Systems

The vulnerability affects Juniper Networks’ Junos OS on SRX Series platforms, including all supported SRX models such as the 1500, 1600, 2300, 300, 320, 340, 345, 380, 4100, 4120, 4200, 4300, 4600, 4700, 5400, 5600, and 5800 families. It applies to all OS releases before the following patches: 21.4R3‑S12, 22.4R3‑S8, 23.2R2‑S5, 23.4R2‑S5, 24.2R2‑S3, 24.4R2‑S1, 25.2R1‑S1, and 25.2R2. The issue is present only when PMI and GRE performance acceleration are enabled, a configuration that is not supported on all SRX platforms.

Risk and Exploitability

The CVSS score is 8.7, indicating a high severity while the EPSS score is below 1 %, showing a very low likelihood of exploitation in the current threat landscape. The vulnerability is not listed in the CISA KEV catalog. Attackers must be able to send a crafted ICMP packet over a GRE tunnel to the SRX device and the device must have PMI and GRE performance acceleration active. Successful exploitation would cause a PFE crash and subsequent traffic loss, effectively a denial of service for all flows routed through the affected gateway.

Generated by OpenCVE AI on April 18, 2026 at 05:59 UTC.

Remediation

Vendor Solution

The following software releases have been updated to resolve this specific issue: Junos OS 21.4R3-S12, 22.4R3-S8, 23.2R2-S5, 23.4R2-S5, 24.2R2-S3, 24.4R2-S1, 25.2R1-S1, 25.2R2, 25.4R1, and all subsequent releases.

Vendor Workaround

* Disable GRE performance acceleration via 'deactivate security flow gre-performance-acceleration' or * Disable PMI:via 'set security flow power-mode-disable'

OpenCVE Recommended Actions

  • Upgrade Junos OS to any of the releases 21.4R3‑S12, 22.4R3‑S8, 23.2R2‑S5, 23.4R2‑S5, 24.2R2‑S3, 24.4R2‑S1, 25.2R1‑S1, 25.2R2, 25.4R1, or a later release.
  • If an upgrade is not immediately possible, disable GRE performance acceleration by executing the configuration command 'deactivate security flow gre-performance-acceleration'.
  • If the device uses Power Mode IPsec, disable it with 'set security flow power-mode-disable' as an additional safeguard.

Generated by OpenCVE AI on April 18, 2026 at 05:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 23 Jan 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Juniper
Juniper junos
Juniper srx1500
Juniper srx1600
Juniper srx2300
Juniper srx300
Juniper srx320
Juniper srx340
Juniper srx345
Juniper srx380
Juniper srx4100
Juniper srx4120
Juniper srx4200
Juniper srx4300
Juniper srx4600
Juniper srx4700
Juniper srx5400
Juniper srx5600
Juniper srx5800
CPEs cpe:2.3:h:juniper:srx1500:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:srx1600:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:srx2300:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:srx300:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:srx320:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:srx340:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:srx345:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:srx380:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:srx4100:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:srx4120:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:srx4200:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:srx4300:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:srx4600:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:srx4700:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:srx5400:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:srx5600:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:srx5800:-:*:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:21.4:-:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:21.4:r1-s1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:21.4:r1-s2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:21.4:r1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:21.4:r2-s1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:21.4:r2-s2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:21.4:r2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:21.4:r3-s10:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:21.4:r3-s11:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:21.4:r3-s1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:21.4:r3-s2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:21.4:r3-s3:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:21.4:r3-s4:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:21.4:r3-s5:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:21.4:r3-s6:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:21.4:r3-s7:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:21.4:r3-s8:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:21.4:r3-s9:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:21.4:r3:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:-:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r1-s1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r1-s2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r2-s1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r2-s2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r3-s1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r3-s2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r3-s3:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r3-s4:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r3-s5:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r3-s6:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r3-s7:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r3:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.2:-:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.2:r1-s1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.2:r1-s2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.2:r1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.2:r2-s1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.2:r2-s2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.2:r2-s3:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.2:r2-s4:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.2:r2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.4:-:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.4:r1-s1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.4:r1-s2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.4:r1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.4:r2-s1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.4:r2-s2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.4:r2-s3:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.4:r2-s4:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.4:r2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:24.2:-:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:24.2:r1-s1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:24.2:r1-s2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:24.2:r1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:24.2:r2-s1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:24.2:r2-s2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:24.2:r2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:24.4:-:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:24.4:r1-s2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:24.4:r1-s3:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:24.4:r1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:24.4:r2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:25.2:-:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:25.2:r1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:25.2:r2:*:*:*:*:*:*
Vendors & Products Juniper
Juniper junos
Juniper srx1500
Juniper srx1600
Juniper srx2300
Juniper srx300
Juniper srx320
Juniper srx340
Juniper srx345
Juniper srx380
Juniper srx4100
Juniper srx4120
Juniper srx4200
Juniper srx4300
Juniper srx4600
Juniper srx4700
Juniper srx5400
Juniper srx5600
Juniper srx5800

Fri, 16 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Juniper Networks
Juniper Networks junos Os
Vendors & Products Juniper Networks
Juniper Networks junos Os

Thu, 15 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
Description An Improper Handling of Exceptional Conditions vulnerability in the packet forwarding engine (PFE) of Juniper Networks Junos OS on SRX Series allows an unauthenticated network-based attacker sending a specific ICMP packet through a GRE tunnel to cause the PFE to crash and restart. When PowerMode IPsec (PMI) and GRE performance acceleration are enabled and the device receives a specific ICMP packet, a crash occurs in the SRX PFE, resulting in traffic loss. PMI is enabled by default, and GRE performance acceleration can be enabled by running the configuration command shown below. PMI is a mode of operation that provides IPsec performance improvements using Vector Packet Processing. Note that PMI with GRE performance acceleration is only supported on specific SRX platforms. This issue affects Junos OS on the SRX Series: * all versions before 21.4R3-S12,  * from 22.4 before 22.4R3-S8,  * from 23.2 before 23.2R2-S5,  * from 23.4 before 23.4R2-S5,  * from 24.2 before 24.2R2-S3,  * from 24.4 before 24.4R2-S1,  * from 25.2 before 25.2R1-S1, 25.2R2.
Title Junos OS: SRX Series: With GRE performance acceleration enabled, receipt of a specific ICMP packet causes the PFE to crash
Weaknesses CWE-755
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/AU:Y/R:A/V:C/RE:M/U:Red'}

Subscriptions

Juniper Junos Srx1500 Srx1600 Srx2300 Srx300 Srx320 Srx340 Srx345 Srx380 Srx4100 Srx4120 Srx4200 Srx4300 Srx4600 Srx4700 Srx5400 Srx5600 Srx5800
Juniper Networks Junos Os
cve-icon MITRE

Status: PUBLISHED

Assigner: juniper

Published:

Updated: 2026-01-16T16:20:14.792Z

Reserved: 2026-01-05T17:32:48.710Z

Link: CVE-2026-21906

cve-icon Vulnrichment

Updated: 2026-01-16T16:20:11.665Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-15T21:16:06.177

Modified: 2026-01-23T19:40:34.157

Link: CVE-2026-21906

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:00:08Z

Weaknesses