CVE-2026-21906 is a vulnerability classified under CWE-755 (Improper Handling of Exceptional Conditions) affecting the packet forwarding engine (PFE) of Juniper Networks Junos OS on SRX Series devices. The flaw arises when the PFE processes a crafted ICMP packet sent through a GRE tunnel while PowerMode IPsec (PMI) and GRE performance acceleration are enabled. PMI is a mode that enhances IPsec performance using Vector Packet Processing and is enabled by default, while GRE performance acceleration must be explicitly enabled on supported SRX platforms. The vulnerability allows an unauthenticated, network-based attacker to send a specific ICMP packet that triggers an exceptional condition not properly handled by the PFE, causing it to crash and restart. This results in a denial of service due to traffic disruption. The affected Junos OS versions include all releases before 21.4R3-S12, and various subsequent versions up to but not including patched releases such as 22.4R3-S8, 23.2R2-S5, 23.4R2-S5, 24.2R2-S3, 24.4R2-S1, and 25.2R1-S1/25.2R2. The CVSS v3.1 base score is 7.5, reflecting network attack vector, no required privileges or user interaction, and high impact on availability. No known exploits have been reported in the wild yet, but the vulnerability’s characteristics make it a credible threat for denial of service attacks against critical network infrastructure. Juniper has not provided patch links in the provided data, but affected users should prioritize updating to the fixed versions as soon as they become available.

For European organizations, this vulnerability poses a significant risk to network availability and operational continuity, especially for those relying on Juniper SRX Series devices for perimeter security, VPN termination, and traffic routing. A successful exploit can cause the packet forwarding engine to crash and restart, leading to temporary traffic loss and potential service outages. This can disrupt business-critical communications, impact remote access via IPsec VPNs, and degrade network performance. Sectors such as finance, telecommunications, government, and critical infrastructure operators in Europe that deploy Juniper SRX devices are particularly vulnerable. The unauthenticated, network-based nature of the attack vector means attackers can exploit this remotely without prior access, increasing the threat surface. Additionally, the default enabling of PMI means many devices may be exposed even without explicit configuration changes. The resulting denial of service could facilitate further attacks by distracting or disabling network defenses.

European organizations should immediately audit their Juniper SRX Series devices to identify affected Junos OS versions and verify if GRE performance acceleration is enabled alongside PMI. Since PMI is enabled by default, special attention should be given to GRE acceleration settings. Organizations should plan and apply Juniper’s security patches as soon as they are released for the affected versions, prioritizing updates to the fixed releases listed in the advisory. Until patches are applied, consider disabling GRE performance acceleration if feasible to reduce exposure. Network administrators should implement monitoring for unusual ICMP traffic patterns, especially ICMP packets traversing GRE tunnels, and apply rate limiting or filtering where appropriate. Deploying intrusion detection/prevention systems (IDS/IPS) with signatures targeting anomalous ICMP GRE traffic may help detect exploitation attempts. Additionally, network segmentation and strict access controls on management and data plane interfaces can limit exposure. Regularly reviewing vendor advisories and subscribing to Juniper security notifications will ensure timely awareness of updates.