Description
An Incorrect Initialization of Resource vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on specific EX Series and QFX Series device allows an unauthenticated, network-based attacker to cause an integrity impact to downstream networks.

When the same family inet or inet6 filter is applied on an IRB interface and on a physical interface as egress filter on EX4100, EX4400, EX4650 and QFX5120 devices, only one of the two filters will be applied, which can lead to traffic being sent out one of these interfaces which should have been blocked.

This issue affects Junos OS on EX Series and QFX Series:
* 23.4 version 23.4R2-S6,
* 24.2 version 24.2R2-S3.


No other Junos OS versions are affected.
Published: 2026-04-09
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Integrity impact: unintended egress filtering bypass
Action: Immediate Patch
AI Analysis

Impact

An incorrect initialization of resources in Juniper’s packet forwarding engine (CWE‑1419, NVD‑CWE‑Other) causes the system to apply only one of two identical egress filters when they are configured on an IRB and a physical interface. The result is that traffic that should be blocked may be sent out an interface that was intended to remain closed, exposing downstream networks to data leakage and undermining the intended firewall policy. The vulnerability is exploitable by an unauthenticated network-based attacker and can let malicious traffic violate network segmentation and egress controls, thereby harming confidentiality and integrity.

Affected Systems

Juniper Networks Junos OS on EX4100, EX4400, EX4650, and QFX5120 devices is affected. Vulnerable releases are 23.4R2-S6 and 24.2R2-S3; later releases (23.4R2-S7, 24.2R2-S4) contain the fix. No other Junos OS versions are reported as vulnerable.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, and the EPSS score of less than 1% shows a low but non‑zero probability of exploitation, while the lack of a CISA KEV listing suggests it is not currently widely known. The unauthenticated network attack vector still allows an attacker with network access to trigger the flaw without logging in or gaining privileged access. This results in a moderate but potentially impactful risk, especially for organizations relying on strict egress filtering on the affected device models.

Generated by OpenCVE AI on April 18, 2026 at 17:21 UTC.

Remediation

Vendor Solution

The following software releases have been updated to resolve this specific issue: 23.4R2-S7, 24.2R2-S4.

Vendor Workaround

Two different workarounds are available: 1. create the same filter but under a different name and apply that to one of the interfaces, so that each interface has a unique copy of the filter in question as shown in the following example: user@host# copy ... <filter> to ... <filter2> user@host# set interfaces irb unit <unit2> family inet/inet6 filter output <filter2> 2. configure the filter as "interface specific" by adding the keyword to the filter definition: [ firewall family inet/inet6 filter <filter> interface-specific ] which implicitly creates a copy of the original filter per applied interface.

OpenCVE Recommended Actions

  • Apply the Juniper patch update to 23.4R2‑S7 or 24.2R2‑S4 to resolve the issue
  • Create a separate copy of the filter for each interface using a unique filter name as a temporary workaround
  • Alternatively, configure the filter as interface‑specific by adding the keyword interface‑specific to the filter definition

Generated by OpenCVE AI on April 18, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://kb.juniper.net/JSA107815 cve-icon cve-icon
History

Fri, 17 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Juniper
Juniper ex2300
Juniper ex2300-c
Juniper ex3400
Juniper ex4000
Juniper ex4100
Juniper ex4100-f
Juniper ex4100-h
Juniper ex4300
Juniper ex4400
Juniper ex4600
Juniper ex4650
Juniper ex9204
Juniper ex9208
Juniper ex9214
Juniper junos
Juniper qfx10008
Juniper qfx10016
Juniper qfx5110
Juniper qfx5120
Juniper qfx5130
Juniper qfx5200
Juniper qfx5210
Juniper qfx5220
Juniper qfx5230-64cd
Juniper qfx5240
Juniper qfx5241
Juniper qfx5700
Weaknesses NVD-CWE-Other
CPEs cpe:2.3:h:juniper:ex2300-c:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:ex2300:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:ex3400:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:ex4000:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:ex4100-f:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:ex4100-h:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:ex4100:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:ex4300:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:ex4400:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:ex4600:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:ex4650:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:ex9204:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:ex9208:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:ex9214:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:qfx10008:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:qfx10016:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:qfx5120:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:qfx5130:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:qfx5210:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:qfx5220:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:qfx5230-64cd:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:qfx5240:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:qfx5241:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:qfx5700:-:*:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.4:r2-s6:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:24.2:r2-s3:*:*:*:*:*:*
Vendors & Products Juniper
Juniper ex2300
Juniper ex2300-c
Juniper ex3400
Juniper ex4000
Juniper ex4100
Juniper ex4100-f
Juniper ex4100-h
Juniper ex4300
Juniper ex4400
Juniper ex4600
Juniper ex4650
Juniper ex9204
Juniper ex9208
Juniper ex9214
Juniper junos
Juniper qfx10008
Juniper qfx10016
Juniper qfx5110
Juniper qfx5120
Juniper qfx5130
Juniper qfx5200
Juniper qfx5210
Juniper qfx5220
Juniper qfx5230-64cd
Juniper qfx5240
Juniper qfx5241
Juniper qfx5700

Mon, 13 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Juniper Networks
Juniper Networks junos Os
Vendors & Products Juniper Networks
Juniper Networks junos Os

Thu, 09 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description An Incorrect Initialization of Resource vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on specific EX Series and QFX Series device allows an unauthenticated, network-based attacker to cause an integrity impact to downstream networks. When the same family inet or inet6 filter is applied on an IRB interface and on a physical interface as egress filter on EX4100, EX4400, EX4650 and QFX5120 devices, only one of the two filters will be applied, which can lead to traffic being sent out one of these interfaces which should have been blocked. This issue affects Junos OS on EX Series and QFX Series: * 23.4 version 23.4R2-S6, * 24.2 version 24.2R2-S3. No other Junos OS versions are affected.
Title Junos OS: EX Series, QFX Series: If the same egress filter is configured on both an IRB and a physical interface one of those is not applied
Weaknesses CWE-1419
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/AU:Y/R:U/RE:M'}

Subscriptions

Juniper Ex2300 Ex2300-c Ex3400 Ex4000 Ex4100 Ex4100-f Ex4100-h Ex4300 Ex4400 Ex4600 Ex4650 Ex9204 Ex9208 Ex9214 Junos Qfx10008 Qfx10016 Qfx5110 Qfx5120 Qfx5130 Qfx5200 Qfx5210 Qfx5220 Qfx5230-64cd Qfx5240 Qfx5241 Qfx5700
Juniper Networks Junos Os
cve-icon MITRE

Status: PUBLISHED

Assigner: juniper

Published:

Updated: 2026-04-13T18:06:20.091Z

Reserved: 2026-03-23T19:46:13.668Z

Link: CVE-2026-33773

cve-icon Vulnrichment

Updated: 2026-04-13T17:58:44.055Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T22:16:25.590

Modified: 2026-04-17T17:56:54.663

Link: CVE-2026-33773

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:30:05Z

Weaknesses