Description
An Improper Locking vulnerability in the GTP plugin of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (Dos).

If an SRX Series device receives a specifically malformed GPRS Tunnelling Protocol (GTP) Modify Bearer Request message, a lock is acquired and never released. This results in other threads not being able to acquire a lock themselves, causing a watchdog timeout leading to FPC crash and restart. This issue leads to a complete traffic outage until the device has automatically recovered.

This issue affects Junos OS on SRX Series:

* all versions before 22.4R3-S8,
* 23.2 versions before 23.2R2-S5,
* 23.4 versions before 23.4R2-S6,
* 24.2 versions before 24.2R2-S3,
* 24.4 versions before 24.4R2-S2,
* 25.2 versions before 25.2R1-S1, 25.2R2.
Published: 2026-01-15
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial-of-Service (device crash and traffic outage)
Action: Apply Update
AI Analysis

Impact

An improperly managed lock in the GTP plugin of Juniper Networks Junos OS on SRX Series allows an unauthenticated network attacker to send a specially crafted GTP Modify Bearer Request message that acquires a lock and never releases it. The resulting deadlock blocks other threads, triggers a watchdog timeout, and causes an FPC crash and automatic restart. The crash produces a complete traffic outage until the device recovers. This is a denial‑of‑service vulnerability (CWE‑667).

Affected Systems

Affected systems include Juniper Networks Junos OS on SRX Series routers. Vulnerable versions are all releases before 22.4R3‑S8, before 23.2R2‑S5, before 23.4R2‑S6, before 24.2R2‑S3, before 24.4R2‑S2, before 25.2R1‑S1, and before 25.2R2. All subsequent releases listed in the vendor patch guide include the fix.

Risk and Exploitability

The CVSS score is 8.7, indicating high severity, but the EPSS score is below 1 %, suggesting a low probability of exploitation. The vulnerability is remote, unauthenticated, and network‑based; the attacker must be able to send GTP packets to the SRX device. No workaround is available, so the only mitigation is to upgrade to a patched release. The risk to operations is significant due to full traffic disruption after a crash, but the actual risk of exploitation is low unless an attacker can target the device directly.

Generated by OpenCVE AI on April 18, 2026 at 16:08 UTC.

Remediation

Vendor Solution

The following software releases have been updated to resolve this specific issue: 22.4R3-S8, 23.2R2-S5, 23.4R2-S6, 24.2R2-S3, 24.4R2-S2, 25.2R1-S1, 25.2R2, 25.4R1, and all subsequent releases.

Vendor Workaround

There are no known workarounds for this issue.

OpenCVE Recommended Actions

  • Deploy the latest Junos OS release that includes the fix (e.g., 22.4R3‑S8 or newer, 23.2R2‑S5 or newer, 23.4R2‑S6 or newer, 24.2R2‑S3 or newer, 24.4R2‑S2 or newer, 25.2R1‑S1 or newer, 25.2R2 or newer).
  • Implement a high‑availability or redundancy strategy (e.g., enable active‑standby or redundancy) to minimize downtime in case of unexpected crashes.
  • Schedule the patch deployment as a high‑priority change within an appropriate maintenance window to reduce impact on network traffic.
  • Monitor device logs for watchdog timeouts or FPC crashes after the update to verify stability.

Generated by OpenCVE AI on April 18, 2026 at 16:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 23 Jan 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Juniper
Juniper junos
Juniper srx1500
Juniper srx1600
Juniper srx2300
Juniper srx300
Juniper srx320
Juniper srx340
Juniper srx345
Juniper srx380
Juniper srx4100
Juniper srx4120
Juniper srx4200
Juniper srx4300
Juniper srx4600
Juniper srx4700
Juniper srx5400
Juniper srx5600
Juniper srx5800
CPEs cpe:2.3:h:juniper:srx1500:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:srx1600:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:srx2300:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:srx300:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:srx320:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:srx340:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:srx345:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:srx380:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:srx4100:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:srx4120:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:srx4200:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:srx4300:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:srx4600:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:srx4700:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:srx5400:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:srx5600:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:srx5800:-:*:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:-:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r1-s1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r1-s2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r2-s1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r2-s2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r3-s1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r3-s2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r3-s3:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r3-s4:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r3-s5:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r3-s6:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r3-s7:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r3:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.2:-:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.2:r1-s1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.2:r1-s2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.2:r1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.2:r2-s1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.2:r2-s2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.2:r2-s3:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.2:r2-s4:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.2:r2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.4:-:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.4:r1-s1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.4:r1-s2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.4:r1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.4:r2-s1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.4:r2-s2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.4:r2-s3:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.4:r2-s4:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.4:r2-s5:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.4:r2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:24.2:-:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:24.2:r1-s1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:24.2:r1-s2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:24.2:r1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:24.2:r2-s1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:24.2:r2-s2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:24.2:r2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:24.4:-:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:24.4:r1-s2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:24.4:r1-s3:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:24.4:r1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:24.4:r2-s1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:24.4:r2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:25.2:-:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:25.2:r1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:25.2:r2:*:*:*:*:*:*
Vendors & Products Juniper
Juniper junos
Juniper srx1500
Juniper srx1600
Juniper srx2300
Juniper srx300
Juniper srx320
Juniper srx340
Juniper srx345
Juniper srx380
Juniper srx4100
Juniper srx4120
Juniper srx4200
Juniper srx4300
Juniper srx4600
Juniper srx4700
Juniper srx5400
Juniper srx5600
Juniper srx5800

Fri, 16 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Juniper Networks
Juniper Networks junos Os
Vendors & Products Juniper Networks
Juniper Networks junos Os

Thu, 15 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 15 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
Description An Improper Locking vulnerability in the GTP plugin of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (Dos). If an SRX Series device receives a specifically malformed GPRS Tunnelling Protocol (GTP) Modify Bearer Request message, a lock is acquired and never released. This results in other threads not being able to acquire a lock themselves, causing a watchdog timeout leading to FPC crash and restart. This issue leads to a complete traffic outage until the device has automatically recovered. This issue affects Junos OS on SRX Series: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5, * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S3, * 24.4 versions before 24.4R2-S2, * 25.2 versions before 25.2R1-S1, 25.2R2.
Title Junos OS: SRX Series: A specifically malformed GTP message will cause an FPC crash
Weaknesses CWE-667
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/AU:Y/R:A/RE:M'}

Subscriptions

Juniper Junos Srx1500 Srx1600 Srx2300 Srx300 Srx320 Srx340 Srx345 Srx380 Srx4100 Srx4120 Srx4200 Srx4300 Srx4600 Srx4700 Srx5400 Srx5600 Srx5800
Juniper Networks Junos Os
cve-icon MITRE

Status: PUBLISHED

Assigner: juniper

Published:

Updated: 2026-01-15T20:44:30.550Z

Reserved: 2026-01-05T17:32:48.711Z

Link: CVE-2026-21914

cve-icon Vulnrichment

Updated: 2026-01-15T20:44:26.736Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-15T21:16:07.700

Modified: 2026-01-23T19:41:03.710

Link: CVE-2026-21914

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:15:04Z

Weaknesses