A use‑after‑free flaw (CWE-416) in the chassis daemon (chassisd) of Juniper Networks Junos OS and Junos OS Evolved permits an authenticated network‑based attacker with low privileges to trigger crashes in critical telemetry‑capable processes. When collectors repeatedly subscribe and unsubscribe to sensors over an extended period, components such as chassisd, rpd or mib2d crash and restart, potentially causing a full outage until the device recovers.

The vulnerability affects Juniper Networks Junos OS and Junos OS Evolved. All builds prior to Junos OS 22.4R3‑S8, 23.2R2‑S5, and 23.4R2, as well as the corresponding Evolved releases 22.4R3‑S8‑EVO, 23.2R2‑S5‑EVO, and 23.4R2‑EVO, are susceptible. Vendor‑issued patched releases begin with 22.4R3‑S8 / 22.4R3‑S8‑EVO, 23.2R2‑S5 / 23.2R2‑S5‑EVO, 23.4R2 / 23.4R2‑EVO and later.

The CVSS score of 7.1 indicates a serious risk, and the EPSS score is reported to be below 1%, suggesting current exploitation is unlikely but possible. The vulnerability is not listed in CISA’s KEV catalog, meaning known exploitation is not publicly confirmed. Attackers would need network reach, legitimate low‑privilege credentials, and the ability to repeatedly perform telemetry subscribe/unsubscribe operations to trigger the crash. No workaround is available, so the only effective defense is to apply the vendor’s patch.