Description
A Function Call With Incorrect Argument Type vulnerability in the sensor interface of Juniper Networks Junos OS Evolved on PTX Series allows a network-based, authenticated attacker with low privileges to cause a complete Denial of Service (DoS).


If colored SRTE policy tunnels are provisioned via PCEP, and gRPC is used to monitor traffic in these tunnels, evo-aftmand crashes and doesn't restart which leads to a complete and persistent service impact. The system has to be manually restarted to recover. The issue is seen only when the Originator ASN field in PCEP contains a value larger than 65,535 (32-bit ASN). The issue is not reproducible when SRTE policy tunnels are statically configured.


This issue affects Junos OS Evolved on PTX Series: 



* all versions before 22.4R3-S9-EVO,
* 23.2 versions before 23.2R2-S6-EVO,
* 23.4 versions before 23.4R2-S7-EVO,
* 24.2 versions before 24.2R2-S4-EVO,
* 24.4 versions before 24.4R2-S2-EVO,
* 25.2 versions before 25.2R1-S2-EVO, 25.2R2-EVO.
Published: 2026-04-09
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a Function Call With Incorrect Argument Type in the sensor interface of Junos OS Evolved. When SRTE policy tunnels are provisioned via PCEP and a gRPC query is received, the evo-aftmand process crashes and does not automatically restart, causing a persistent denial of service. An attacker who has authenticated network access with low privileges can trigger the crash by sending gRPC traffic that includes an Originator ASN value larger than 65,535. The resulting service disruption requires a manual reboot to recover, affecting traffic monitoring and overall network operation. The weakness is classified as CWE‑686, indicating a function call with an incorrect argument type.

Affected Systems

Affected systems are Juniper Networks Junos OS Evolved running on PTX Series devices. The vulnerability is present in all releases before 22.4R3‑S9‑EVO, before 23.2R2‑S6‑EVO, before 23.4R2‑S7‑EVO, before 24.2R2‑S4‑EVO, before 24.4R2‑S2‑EVO, and before 25.2R1‑S2‑EVO; all later releases address the issue.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate to high impact, while the EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an authenticated attacker with low privileges who can interact with the router’s PCEP and gRPC interfaces; the attack vector is therefore likely network-based and necessitates some level of internal access. Given the impact on service continuity, the risk to organizations deploying the affected Junos OS Evolved versions is significant, especially in environments where SRTE tunnels are used.

Generated by OpenCVE AI on April 9, 2026 at 23:25 UTC.

Remediation

Vendor Solution

The following software releases have been updated to resolve this specific issue: 22.4R3-S9-EVO, 23.2R2-S6-EVO, 23.4R2-S7-EVO, 24.2R2-S4-EVO, 24.4R2-S2-EVO, 25.2R1-S2-EVO, 25.2R2-EVO, 25.4R1-EVO, and all subsequent releases.

Vendor Workaround

Configure the Originator ASN with a value of less than 65,535 (16-bit ASN).

OpenCVE Recommended Actions

  • Apply an updated Junos OS Evolved release starting with 22.4R3‑S9‑EVO.
  • If an upgrade is not immediately possible, set the Originator ASN value to less than 65,535 to satisfy the workaround.
  • Verify that the evo‑aftmand process is running after any change; if it remains unresponsive, reboot the device.
  • Monitor PCEP sessions and gRPC traffic for anomalous originator ASN values.
  • Ensure the network device is protected with appropriate access controls to limit authenticated low‑privilege access.

Generated by OpenCVE AI on April 9, 2026 at 23:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://kb.juniper.net/JSA107870 cve-icon cve-icon
History

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Juniper Networks
Juniper Networks junos Os Evolved
Vendors & Products Juniper Networks
Juniper Networks junos Os Evolved

Thu, 09 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Description A Function Call With Incorrect Argument Type vulnerability in the sensor interface of Juniper Networks Junos OS Evolved on PTX Series allows a network-based, authenticated attacker with low privileges to cause a complete Denial of Service (DoS). If colored SRTE policy tunnels are provisioned via PCEP, and gRPC is used to monitor traffic in these tunnels, evo-aftmand crashes and doesn't restart which leads to a complete and persistent service impact. The system has to be manually restarted to recover. The issue is seen only when the Originator ASN field in PCEP contains a value larger than 65,535 (32-bit ASN). The issue is not reproducible when SRTE policy tunnels are statically configured. This issue affects Junos OS Evolved on PTX Series:  * all versions before 22.4R3-S9-EVO, * 23.2 versions before 23.2R2-S6-EVO, * 23.4 versions before 23.4R2-S7-EVO, * 24.2 versions before 24.2R2-S4-EVO, * 24.4 versions before 24.4R2-S2-EVO, * 25.2 versions before 25.2R1-S2-EVO, 25.2R2-EVO.
Title Junos OS Evolved: PTX Series: If SRTE tunnels provisioned via PCEP are present and specific gRPC queries are received evo-aftmand crashes
Weaknesses CWE-686
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/AU:Y/R:U/RE:M'}

Subscriptions

Juniper Networks Junos Os Evolved
cve-icon MITRE

Status: PUBLISHED

Assigner: juniper

Published:

Updated: 2026-04-09T21:36:13.503Z

Reserved: 2026-03-23T19:46:13.669Z

Link: CVE-2026-33783

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-09T22:16:27.590

Modified: 2026-04-09T22:16:27.590

Link: CVE-2026-33783

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:27:52Z

Weaknesses