CVE-2026-21912 identifies a Time-of-check Time-of-use (TOCTOU) race condition vulnerability classified under CWE-367 in Juniper Networks Junos OS running on MX10k Series routers equipped with LC480 or LC2101 line cards. The vulnerability arises in the method responsible for collecting Flexible PIC Concentrator (FPC) Ethernet firmware statistics when the 'show system firmware' CLI command is executed. A local attacker with low privileges can exploit this race condition by repeatedly invoking this command, causing the targeted line card to crash and restart. Subsequently, the chassisd daemon, responsible for chassis management, may also crash and generate core dumps, further impacting system stability. The affected Junos OS versions span multiple releases before specific patch versions: all versions before 21.2R3-S10, from 21.4 before 21.4R3-S9, from 22.2 before 22.2R3-S7, from 22.4 before 22.4R3-S6, from 23.2 before 23.2R2-S2, from 23.4 before 23.4R2-S3, and from 24.2 before 24.2R2. The CVSS v3.1 base score is 5.5 (medium), reflecting the local attack vector (AV:L), low attack complexity (AC:L), low privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), no impact on confidentiality or integrity (C:N/I:N), but high impact on availability (A:H). There are no known exploits in the wild at this time. The vulnerability does not allow remote exploitation or privilege escalation but can cause denial-of-service conditions on critical network infrastructure components.

For European organizations, this vulnerability poses a significant risk to network availability, particularly for those relying on Juniper MX10k Series routers with LC480 or LC2101 line cards in their core or edge network infrastructure. A successful exploitation can cause line card resets and chassisd crashes, leading to temporary loss of routing capabilities, potential network outages, and degraded service quality. This can disrupt business operations, especially for ISPs, data centers, and enterprises with critical network dependencies. While confidentiality and integrity remain unaffected, the availability impact can cascade, affecting dependent services and customers. The requirement for local access limits the attack surface but insider threats or compromised administrative accounts could exploit this vulnerability. Additionally, the generation of core dumps may expose sensitive debugging information if not properly secured. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits post-disclosure.

1. Apply Juniper Networks' security patches for Junos OS as soon as they become available for the affected versions, prioritizing updates to versions 21.2R3-S10 or later, 21.4R3-S9 or later, 22.2R3-S7 or later, 22.4R3-S6 or later, 23.2R2-S2 or later, 23.4R2-S3 or later, and 24.2R2 or later. 2. Restrict local CLI access to trusted administrators only, implementing strict access controls and monitoring to prevent unauthorized command execution. 3. Employ role-based access control (RBAC) to limit the ability to execute the 'show system firmware' command to necessary personnel. 4. Monitor system logs and chassisd process behavior for signs of repeated crashes or abnormal restarts indicative of exploitation attempts. 5. Implement network segmentation to isolate management interfaces and reduce the risk of lateral movement by attackers with local access. 6. Conduct regular audits of user accounts and privileges to detect and remove unnecessary or dormant accounts. 7. Prepare incident response plans to quickly address potential denial-of-service events affecting network infrastructure. 8. Consider deploying additional redundancy in network paths to mitigate the impact of line card failures.