Description
A Missing Release of Memory after Effective Lifetime vulnerability in the DHCP daemon (jdhcpd) of Juniper Networks Junos OS on MX Series, allows an adjacent, unauthenticated attacker to cause a memory leak, that will eventually cause a complete Denial-of-Service (DoS).

In a DHCPv6 over PPPoE, or DHCPv6 over VLAN with Active lease query or Bulk lease query scenario, every subscriber logout will leak a small amount of memory. When all available memory has been exhausted, jdhcpd will crash and restart which causes a complete service impact until the process has recovered.

The memory usage of jdhcpd can be monitored with:

user@host> show system processes extensive | match jdhcpd



This issue affects Junos OS:

* all versions before 22.4R3-S1,
* 23.2 versions before 23.2R2,
* 23.4 versions before 23.4R2.
Published: 2026-04-09
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a memory leak in the DHCP daemon jdhcpd on Juniper Networks Junos OS MX Series. Each subscriber logout during certain DHCPv6 scenarios leaves a small amount of memory unreleased, causing jdhcpd to consume more memory over time. When system memory is exhausted, jdhcpd crashes and restarts, resulting in a complete service outage for the junction that requires the process to recover. The weakness corresponds to CWE-401 (Memory Leak).

Affected Systems

The flaw affects Junos OS on MX Series devices. All releases prior to 22.4R3‑S1, all 23.2 releases before 23.2R2, and all 23.4 releases before 23.4R2 are vulnerable. The documented scenarios involve DHCPv6 over PPPoE or DHCPv6 over VLAN with Active lease query or Bulk lease query.

Risk and Exploitability

The CVSS score of 8.7 signals a high severity risk, and the description indicates that an unauthenticated attacker who is adjacent to the network can trigger the leak by causing subscriber logouts in the affected DHCPv6 contexts. The absence of an EPSS score limits precise exploitation probability, but the straightforward use of DHCP logs and lack of defense in depth suggest that exploitation is feasible once the conditions are met. The issue is not listed in the CISA KEV catalog, so it is not a currently known exploited vulnerability in the wild. The impact is a complete denial of service for the jdhcpd process and any higher‑level services that rely on it.

Generated by OpenCVE AI on April 9, 2026 at 22:20 UTC.

Remediation

Vendor Solution

The following software releases have been updated to resolve this specific issue: 22.4R3-S1, 23.2R2, 23.4R2, 24.2R1, and all subsequent releases.

Vendor Workaround

There are no known workarounds for this issue.

OpenCVE Recommended Actions

  • Upgrade Junos OS to a fixed release (22.4R3‑S1, 23.2R2, 23.4R2, 24.2R1, or later).
  • If an urgent upgrade is not possible, monitor jdhcpd memory usage with ‘show system processes extensive | match jdhcpd’ to detect increasing trends.
  • When memory usage appears to be escalating, restart the jdhcpd process or the device to temporarily restore service.

Generated by OpenCVE AI on April 9, 2026 at 22:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://kb.juniper.net/JSA107820 cve-icon cve-icon
History

Fri, 17 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Juniper
Juniper junos
Juniper mx10004
Juniper mx10008
Juniper mx2008
Juniper mx2010
Juniper mx2020
Juniper mx204
Juniper mx240
Juniper mx301
Juniper mx304
Juniper mx480
Juniper mx960
CPEs cpe:2.3:h:juniper:mx10004:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:mx10008:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:mx2008:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:mx2010:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:mx2020:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:mx204:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:mx240:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:mx301:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:mx304:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:mx480:-:*:*:*:*:*:*:*
cpe:2.3:h:juniper:mx960:-:*:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:-:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r1-s1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r1-s2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r2-s1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r2-s2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:22.4:r3:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.2:-:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.2:r1-s1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.2:r1-s2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.2:r1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.4:-:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.4:r1-s1:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.4:r1-s2:*:*:*:*:*:*
cpe:2.3:o:juniper:junos:23.4:r1:*:*:*:*:*:*
Vendors & Products Juniper
Juniper junos
Juniper mx10004
Juniper mx10008
Juniper mx2008
Juniper mx2010
Juniper mx2020
Juniper mx204
Juniper mx240
Juniper mx301
Juniper mx304
Juniper mx480
Juniper mx960

Mon, 13 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Juniper Networks
Juniper Networks junos Os
Vendors & Products Juniper Networks
Juniper Networks junos Os

Thu, 09 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description A Missing Release of Memory after Effective Lifetime vulnerability in the DHCP daemon (jdhcpd) of Juniper Networks Junos OS on MX Series, allows an adjacent, unauthenticated attacker to cause a memory leak, that will eventually cause a complete Denial-of-Service (DoS). In a DHCPv6 over PPPoE, or DHCPv6 over VLAN with Active lease query or Bulk lease query scenario, every subscriber logout will leak a small amount of memory. When all available memory has been exhausted, jdhcpd will crash and restart which causes a complete service impact until the process has recovered. The memory usage of jdhcpd can be monitored with: user@host> show system processes extensive | match jdhcpd This issue affects Junos OS: * all versions before 22.4R3-S1, * 23.2 versions before 23.2R2, * 23.4 versions before 23.4R2.
Title Junos OS: MX Series: In specific DHCPv6 scenarios jdhcpd memory increases continuously with subscriber logouts
Weaknesses CWE-401
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/AU:Y/RE:M'}

Subscriptions

Juniper Junos Mx10004 Mx10008 Mx2008 Mx2010 Mx2020 Mx204 Mx240 Mx301 Mx304 Mx480 Mx960
Juniper Networks Junos Os
cve-icon MITRE

Status: PUBLISHED

Assigner: juniper

Published:

Updated: 2026-04-13T18:06:19.824Z

Reserved: 2026-03-23T19:46:13.669Z

Link: CVE-2026-33782

cve-icon Vulnrichment

Updated: 2026-04-13T17:58:39.328Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T22:16:27.393

Modified: 2026-04-17T17:39:35.200

Link: CVE-2026-33782

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:28:10Z

Weaknesses