CVE-2026-33773

# PoC Concept: Configuration leading to CVE-2026-33773 impact # This demonstrates the vulnerable setup on Junos OS # Define a firewall filter intended to block specific traffic (e.g., telnet) firewall { family inet { filter VULNERABLE_FILTER { term block_bad_traffic { from { protocol tcp; destination-port 23; # Telnet } then { discard; } } term accept_other { then accept; } } } } # Vulnerable Configuration Scenario: # Applying the SAME filter to both IRB and Physical Interface as output interfaces { irb { unit 100 { family inet { filter { output VULNERABLE_FILTER; # Filter applied to IRB } address 192.168.1.1/24; } } } xe-0/0/0 { unit 0 { family inet { filter { output VULNERABLE_FILTER; # Same filter applied to Physical Interface (VULNERABLE) } address 10.0.0.1/24; } } } } # Exploitation: # Due to the Incorrect Initialization of Resource, only one filter is active. # An attacker sends TCP traffic to port 23. # Expected: Traffic is dropped. # Actual: Traffic might pass through if the active filter instance is on the interface not traversed by the specific flow logic or if the second filter instance failed to load.

{"cve": {"id": "CVE-2026-33773", "sourceIdentifier": "[email protected]", "published": "2026-04-09T22:16:25.590", "lastModified": "2026-04-17T17:56:54.663", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Incorrect Initialization of Resource vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on specific EX Series and QFX Series device allows an unauthenticated, network-based attacker to cause an integrity impact to downstream networks.\n\nWhen the same family inet or inet6 filter is applied on an IRB interface and on a physical interface as egress filter on EX4100, EX4400, EX4650 and QFX5120 devices, only one of the two filters will be applied, which can lead to traffic being sent out one of these interfaces which should have been blocked.\n\nThis issue affects Junos OS on EX Series and QFX Series:\n * 23.4 version 23.4R2-S6,\n * 24.2 version 24.2R2-S3.\n\n\nNo other Junos OS versions are affected."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "YES", "Recovery": "USER", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", "baseScore": 5.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:23.4:r2-s6:*:*:*:*:*:*", "matchCriteriaId": "4D9A36E5-A1BB-46E1-91B6-91A4C40C1B59"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:24.2:r2-s3:*:*:*:*:*:*", "matchCriteriaId": "619B5EA0-0369-4AFE-AD8B-A3A22B326F9E"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:juniper:ex2300:-:*:*:*:*:*:*:*", "matchCriteriaId": "3B3302CB-457F-4BD2-B80B-F70FB4C4542E"}, {"vulnerable": false, "criteria": "cpe:2.3:h:juniper:ex2300-c:-:*:*:*:*:*:*:*", "matchCriteriaId": "979C3597-C53B-4F4B-9EA7-126DA036C86D"}, {"vulnerable": false, "criteria": "cpe:2.3:h:juniper:ex3400:-:*:*:*:*:*:*:*", "matchCriteriaId": "47DAF5E7-E610-4D74-8573-41C16D642837"}, {"vulnerable": false, "criteria": "cpe:2.3:h:juniper:ex4000:-:*:*:*:*:*:*:*", "matchCriteriaId": "152FD759-F5D2-4ACE-ADD6-7FE89B31D961"}, {"vulnerable": false, "criteria": "cpe:2.3:h:juniper:ex4100:-:*:*:*:*:*:*:*", "matchCriteriaId": "C2521C83-E8F2-4621-9727-75BB3FC11E64"}, {"vulnerable": false, "criteria": "cpe:2.3:h:juniper:ex4100-f:-:*:*:*:*:*:*:*", "matchCriteriaId": "6F496D19-D28C-4517-90A3-90EC62BC5D79"}, {"vulnerable": false, "criteria": "cpe:2.3:h:juniper:ex4100-h:-:*:*:*:*:*:*:*", "matchCriteriaId": "7DA4A8C7-EBC0-449E-BD37-69FABDC917C2"}, {"vulnerable": false, "criteria": "cpe:2.3:h:juniper:ex4300:-:*:*:*:*:*:*:*", "matchCriteriaId": "E594D6DC-87F6-40D2-8268-ED6021462168"}, {"vulnerable": false, "criteria": "cpe:2.3:h:juniper:ex4400:-:*:*:*:*:*:*:*", "matchCriteriaId": "4B43F6CB-0595-4957-8B3B-ADD4EA84D8C2"}, {"vulnerable": false, "criteria": "cpe:2.3:h:juniper:ex4600:-:*:*:*:*:*:*:*", "matchCriteriaId": "D1BB20B5-EA30-4E8E-9055-2E629648436A"}, {"vulnerable": false, "criteria": "cpe:2.3:h:juniper:ex4 ... (truncated)