CVE-2026-21905 is a vulnerability classified under CWE-835 (Loop with Unreachable Exit Condition) found in the SIP application layer gateway (ALG) of Juniper Networks Junos OS running on SRX Series and MX Series devices equipped with MX-SPC3 or MS-MPC service cards. The flaw arises when the SIP ALG improperly parses multiple SIP messages sent over TCP, causing the SIP headers to be misinterpreted and triggering an infinite loop within the flow management process. This loop leads to the expiration of a watchdog timer, which forcibly crashes the flowd process on SRX Series and MX Series with MX-SPC3 cards, or the mspmand process on MX Series with MS-MPC cards. The vulnerability is exploitable remotely by an unauthenticated attacker who can send crafted SIP messages over TCP, without requiring any user interaction. This results in a denial of service (DoS) condition by disrupting critical flow management processes that handle network traffic. The issue affects a broad range of Junos OS versions prior to the patched releases starting from 21.2R3-S10 and continuing through multiple subsequent versions up to 25.2R2. The vulnerability does not affect SIP messages sent over UDP, limiting the attack vector to TCP-based SIP traffic. Although no exploits have been observed in the wild yet, the vulnerability's characteristics—remote, unauthenticated, no user interaction, and high impact on availability—make it a significant risk for network operators using affected Juniper devices. Juniper has published patches in the indicated versions to address this issue.

The primary impact of CVE-2026-21905 is a denial of service condition caused by crashing critical flow management processes on Juniper SRX and MX Series devices. For European organizations, especially those relying on Juniper devices for perimeter security, routing, or session management in their networks, this vulnerability could lead to significant network outages or degraded service availability. Disruption of flowd or mspmand processes can interrupt traffic inspection, firewalling, and routing functions, potentially causing widespread connectivity issues. This is particularly critical for telecommunications providers, financial institutions, government agencies, and enterprises with high availability requirements. The vulnerability does not expose confidentiality or integrity risks directly but can be leveraged as part of a larger attack to degrade network defenses or cause operational disruption. Given the widespread use of Juniper devices in Europe’s telecom and enterprise sectors, the potential for service interruption is notable. The lack of authentication requirement and ease of triggering the flaw over TCP increases the risk of exploitation from both external attackers and insider threats. However, the attack vector is limited to SIP traffic over TCP, which may reduce exposure in environments where SIP is not used or is segregated.

To mitigate CVE-2026-21905, European organizations should prioritize upgrading affected Juniper Junos OS devices to the fixed versions starting from 21.2R3-S10, 21.4R3-S12, 22.4R3-S8, 23.2R2-S5, 23.4R2-S6, 24.2R2-S3, 24.4R2-S1, and 25.2R1-S1 or later as applicable. Until patches can be applied, organizations should implement network-level controls to limit exposure to malicious SIP TCP traffic. This includes deploying firewall rules or access control lists (ACLs) to restrict SIP traffic to trusted sources and segregating SIP traffic from critical network infrastructure. Monitoring and alerting on abnormal SIP message patterns or repeated flowd/mspmand process crashes can provide early detection of exploitation attempts. Additionally, disabling SIP ALG functionality on Juniper devices where it is not required can reduce the attack surface. Network segmentation to isolate SIP traffic and employing intrusion prevention systems (IPS) with signatures targeting malformed SIP messages can further mitigate risk. Regularly reviewing device logs and flow management process health is recommended to detect potential exploitation. Organizations should also engage with Juniper support for guidance and verify that all devices are running supported and patched software versions.