CVE-2025-52986 is a medium severity vulnerability identified in Juniper Networks Junos OS and Junos OS Evolved, specifically affecting the routing protocol daemon (rpd). The vulnerability is classified under CWE-401, which pertains to missing release of memory after its effective lifetime, commonly known as a memory leak. This flaw occurs when RIB (Routing Information Base) sharding is enabled and a local, low-privileged user executes certain routing-related 'show' commands. These commands cause a memory leak in the rpd process, with the leaked memory continuously increasing as the commands are repeatedly executed. The leak can be monitored using the CLI command 'show task memory detail | match task_shard_mgmt_cookie', which reveals the growing memory allocation in bytes. As the leaked memory accumulates, it eventually consumes all available memory, causing the rpd process to crash and restart, leading to a temporary loss of routing functionality and thus impacting device availability. The vulnerability affects multiple versions of Junos OS and Junos OS Evolved, including all versions before 21.2R3-S9, 21.4 versions before 21.4R3-S11, 22.2 versions before 22.2R3-S7, 22.4 versions before 22.4R3-S7, 23.2 versions before 23.2R2-S4, 23.4 versions before 23.4R2-S4, 24.2 versions before 24.2R2, and 24.4 versions before 24.4R1-S2 and 24.4R2 for Junos OS, and similarly for Junos OS Evolved. The CVSS v3.1 base score is 5.5, reflecting a medium severity with an attack vector limited to local access, low complexity, low privileges required, no user interaction, and impact limited to availability. No known exploits are reported in the wild at the time of publication. The vulnerability does not affect confidentiality or integrity but can cause denial of service due to rpd crashes and restarts.

For European organizations, this vulnerability poses a risk primarily to network infrastructure stability and availability. Juniper Networks devices running affected versions of Junos OS are widely deployed in enterprise and service provider networks across Europe. An attacker with local access, such as an insider or someone who has gained limited access to network management interfaces, could exploit this flaw to cause repeated rpd crashes, resulting in intermittent or prolonged routing outages. This can disrupt critical business operations, degrade network performance, and impact services dependent on continuous network availability. Sectors such as telecommunications, finance, government, and critical infrastructure operators in Europe could face operational disruptions and potential regulatory scrutiny if network availability is compromised. Although the vulnerability does not allow data exfiltration or modification, the denial of service impact on routing devices can cascade to affect multiple dependent systems and services, increasing the overall risk profile for affected organizations.

To mitigate this vulnerability, European organizations should prioritize upgrading affected Junos OS and Junos OS Evolved devices to the fixed versions as listed by Juniper Networks. Since the vulnerability requires local access and the execution of specific routing-related commands, organizations should also enforce strict access controls and segmentation on network management interfaces to limit local user privileges. Monitoring memory usage of the rpd process using the provided CLI command can help detect early signs of exploitation. Implementing automated alerts for abnormal memory growth in rpd can enable proactive incident response. Additionally, network administrators should review and restrict the use of RIB sharding if it is not essential, as this feature is a prerequisite for the vulnerability. Regular auditing of user accounts and privileges, combined with network segmentation and multi-factor authentication for management access, will reduce the risk of unauthorized exploitation. Finally, organizations should maintain up-to-date backups and have incident response plans ready to address potential network outages caused by rpd crashes.