CVE-2026-21911 is a vulnerability classified under CWE-682 (Incorrect Calculation) found in the Layer 2 Control Protocol Daemon (l2cpd) component of Juniper Networks Junos OS Evolved. The flaw arises from improper handling of MAC address learning over label-switched interfaces (LSI) when the management interface is flapped by an unauthenticated attacker who is network-adjacent. This causes the daemon to cease learning new MAC addresses, which disrupts normal Layer 2 forwarding behavior. Concurrently, the system generates a flood of log messages containing detailed internal state and error codes, which leads to excessive CPU consumption and potential denial of service. The vulnerability affects all versions before 21.4R3-S7-EVO, and multiple subsequent versions up to 23.4R2-EVO, indicating a broad impact across many deployed releases. The attack vector requires only network adjacency and no privileges or user interaction, making it relatively easy to exploit in environments where an attacker can send traffic to the management interface. The vulnerability does not impact confidentiality or integrity but significantly affects availability by degrading device performance and network stability. Juniper has published the vulnerability with a CVSS v3.1 score of 6.5, reflecting medium severity due to the availability impact and ease of exploitation. No public exploits or active exploitation have been reported to date.

For European organizations, this vulnerability poses a risk to the availability and stability of critical network infrastructure using Juniper Junos OS Evolved devices. Disruption of MAC learning on label-switched interfaces can degrade network performance, cause traffic forwarding issues, and potentially lead to network outages or degraded service quality. High CPU usage triggered by log flooding can further impact device responsiveness and availability, affecting enterprise networks, data centers, and service provider infrastructure. Organizations relying on Juniper routers and switches for core or edge networking, especially those with management interfaces exposed or accessible within internal networks, are at risk. The impact is particularly significant for sectors requiring high network uptime such as finance, telecommunications, healthcare, and government services. While the vulnerability does not compromise data confidentiality or integrity, the denial-of-service effect can interrupt business operations and critical communications.

To mitigate CVE-2026-21911, European organizations should promptly upgrade affected Junos OS Evolved devices to the fixed versions listed by Juniper (21.4R3-S7-EVO or later for earlier branches, and corresponding patched releases for 22.2, 22.3, 22.4, 23.2, and 23.4 branches). Until patches are applied, organizations should restrict access to management interfaces to trusted and authenticated network segments only, using network segmentation and access control lists (ACLs) to prevent unauthorized network-adjacent attackers from reaching the vulnerable daemon. Monitoring for unusual log flooding and CPU spikes on Juniper devices can help detect attempted exploitation. Additionally, implementing rate limiting on management interface traffic and enabling logging thresholds can reduce the impact of log floods. Network operators should review and harden Layer 2 control protocols and consider disabling unused or unnecessary services related to l2cpd. Regular vulnerability scanning and asset inventory to identify affected Junos OS Evolved versions are essential for timely remediation.