CVE-2026-21905 is a vulnerability classified under CWE-835 (Loop with Unreachable Exit Condition) found in the SIP application layer gateway (ALG) component of Juniper Networks Junos OS running on SRX Series and MX Series routers equipped with MX-SPC3 or MS-MPC service cards. The flaw arises when the device receives multiple SIP messages over TCP; the SIP headers are parsed incorrectly, causing the processing loop to become infinite. This infinite loop leads to the expiration of a watchdog timer, which in turn crashes the flow management process—specifically, the flowd process on SRX Series and MX Series with MX-SPC3 cards, or the mspmand process on MX Series with MS-MPC cards. The crash results in a denial of service (DoS) condition, disrupting the device's ability to manage network flows. The vulnerability is exploitable remotely without authentication or user interaction, making it accessible to unauthenticated network-based attackers who can send crafted SIP messages over TCP. Notably, SIP messages over UDP do not trigger this issue. The affected Junos OS versions span multiple releases before the patched versions 21.2R3-S10, 21.4R3-S12, 22.4R3-S8, 23.2R2-S5, 23.4R2-S6, 24.2R2-S3, 24.4R2-S1, and 25.2R1-S1/25.2R2. Although no known exploits are reported in the wild, the vulnerability's characteristics and ease of exploitation make it a significant risk for network availability. The root cause is improper SIP header parsing leading to an infinite loop, a classic denial of service vector in network protocol handling components.

For European organizations, the impact of CVE-2026-21905 can be substantial, especially for those relying on Juniper SRX and MX Series devices for critical network security and routing functions. The denial of service caused by crashing flow management processes can lead to network outages, degraded performance, and loss of connectivity for enterprise and service provider networks. This disruption can affect business operations, critical communications, and service availability. Telecommunications providers using Juniper MX Series routers with affected service cards may experience service interruptions impacting large customer bases. Enterprises with SRX Series firewalls may face security gaps during downtime, increasing exposure to other threats. The vulnerability’s unauthenticated, network-based exploit vector means attackers can launch attacks remotely without prior access, increasing the risk of widespread disruption. Given the importance of these devices in network infrastructure, the potential for cascading effects on dependent services and applications is significant. Additionally, the inability to handle SIP traffic properly may affect VoIP and unified communications systems that rely on SIP, further impacting business communications.

The primary mitigation is to apply the vendor-provided patches by upgrading affected Junos OS versions to the fixed releases listed: 21.2R3-S10 or later, 21.4R3-S12 or later, 22.4R3-S8 or later, 23.2R2-S5 or later, 23.4R2-S6 or later, 24.2R2-S3 or later, 24.4R2-S1 or later, and 25.2R1-S1/25.2R2 or later. Until patches can be applied, organizations should implement network-level controls to limit exposure. This includes filtering or rate-limiting SIP traffic over TCP at network perimeters and ingress points, especially from untrusted sources. Monitoring SIP traffic for abnormal patterns or excessive malformed messages can help detect exploitation attempts early. Disabling SIP ALG functionality on affected devices, if feasible without impacting business operations, can reduce attack surface. Employing intrusion detection/prevention systems (IDS/IPS) with signatures targeting malformed SIP TCP messages may provide additional protection. Regularly auditing device configurations and ensuring minimal exposure of management interfaces to untrusted networks is recommended. Finally, organizations should prepare incident response plans to quickly address potential DoS events caused by this vulnerability.