CVE-2026-21903 is a stack-based buffer overflow vulnerability classified under CWE-121, found in the Packet Forwarding Engine (PFE) component of Juniper Networks Junos OS. The flaw arises when an authenticated attacker with low privileges subscribes to telemetry sensors at scale, causing all Flexible PIC Concentrator (FPC) connections to drop. This leads to an FPC crash and subsequent restart, resulting in a denial-of-service condition. The vulnerability affects all Junos OS versions before 22.4R3-S7, versions 23.2 prior to 23.2R2-S4, and versions 23.4 before 23.4R2. Notably, the issue does not manifest if YANG packages for the specific telemetry sensors are installed, indicating a correlation between sensor data handling and the overflow. The vulnerability requires network access and low-level authentication but no user interaction. The CVSS v3.1 score is 6.5, reflecting a medium severity primarily due to the impact on availability without confidentiality or integrity compromise. No known exploits are currently reported in the wild. The vulnerability highlights a risk in telemetry data processing within Junos OS, which is critical for network monitoring and management.

For European organizations, this vulnerability poses a significant risk to network availability, especially for those heavily reliant on Juniper Networks infrastructure for routing and switching. The denial-of-service caused by FPC crashes can disrupt critical network operations, impacting business continuity and service delivery. Telecommunications providers, financial institutions, and large enterprises using Junos OS for their core network infrastructure may experience outages or degraded performance. The requirement for low-privilege authentication means insider threats or compromised credentials could be leveraged to exploit this vulnerability. Although confidentiality and integrity are not directly affected, the availability impact can indirectly affect operational security and compliance with regulations such as the NIS Directive and GDPR, which mandate network resilience. The absence of known exploits reduces immediate risk but does not eliminate the threat of future exploitation.

European organizations should immediately verify their Junos OS versions and upgrade to the fixed releases: 22.4R3-S7 or later, 23.2R2-S4 or later, and 23.4R2 or later. Where upgrading is not immediately feasible, installing the relevant YANG packages for telemetry sensors can mitigate the issue by preventing the overflow condition. Network administrators should restrict telemetry sensor subscriptions to trusted users and monitor for unusual subscription activity indicative of exploitation attempts. Implement strict access controls and multi-factor authentication for network management interfaces to reduce the risk of low-privilege authenticated attackers. Additionally, network segmentation can limit exposure of critical Junos OS devices. Regularly audit and monitor FPC status and logs for signs of instability or crashes. Engage with Juniper Networks support for any vendor-specific mitigation advice and apply security patches promptly once available.