CVE-2026-21913: CWE-1419 Incorrect Initialization of Resource in Juniper Networks Junos OS
An Incorrect Initialization of Resource vulnerability in the Internal Device Manager (IDM) of Juniper Networks Junos OS on EX4000 models allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). On EX4000 models with 48 ports (EX4000-48T, EX4000-48P, EX4000-48MP) a high volume of traffic destined to the device will cause an FXPC crash and restart, which leads to a complete service outage until the device has automatically restarted. The following reboot reason can be seen in the output of 'show chassis routing-engine' and as a log message: reason=0x4000002 reason_string=0x4000002:watchdog + panic with core dump This issue affects Junos OS on EX4000-48T, EX4000-48P and EX4000-48MP: * 24.4 versions before 24.4R2, * 25.2 versions before 25.2R1-S2, 25.2R2. This issue does not affect versions before 24.4R1 as the first Junos OS version for the EX4000 models was 24.4R1.
AI Analysis
Technical Summary
CVE-2026-21913 is a vulnerability classified under CWE-1419 (Incorrect Initialization of Resource) found in the Internal Device Manager (IDM) component of Juniper Networks Junos OS running on EX4000-48T, EX4000-48P, and EX4000-48MP switch models. The flaw arises from improper resource initialization that can be triggered by an unauthenticated attacker sending a high volume of network traffic destined to the device. This causes the FXPC (Flexible Packet Control) process to crash and subsequently restart the device, leading to a denial-of-service condition. The device remains unavailable until the automatic reboot completes, causing a complete service outage. The vulnerability affects Junos OS versions starting from 24.4 up to but not including 24.4R2, and versions 25.2 prior to 25.2R1-S2 and 25.2R2. The reboot reason logged is a watchdog panic with a core dump, indicating a forced recovery triggered by the system's internal watchdog timer. Exploitation requires no authentication or user interaction, and the attack vector is purely network-based, making it accessible to remote attackers. Although no exploits have been observed in the wild, the vulnerability's nature and ease of exploitation make it a critical concern for network infrastructure stability.
Potential Impact
For European organizations, this vulnerability poses a significant risk to network availability and operational continuity, especially for those using Juniper EX4000 switches in their core or distribution networks. A successful attack can cause prolonged outages affecting critical services, including enterprise communications, data center connectivity, and internet access. This can disrupt business operations, lead to financial losses, and damage reputation. Sectors such as finance, telecommunications, government, and critical infrastructure operators in Europe are particularly vulnerable due to their reliance on stable network infrastructure. The lack of authentication and user interaction requirements increases the attack surface, allowing potentially any external attacker to disrupt services remotely. Additionally, the automatic reboot may cause cascading failures in highly available network architectures if redundancy is not properly configured or if multiple devices are targeted simultaneously.
Mitigation Recommendations
European organizations should prioritize upgrading affected Junos OS versions to 24.4R2, 25.2R1-S2, 25.2R2, or later where the vulnerability is patched. Until patches are applied, network administrators should implement strict ingress filtering and rate limiting on traffic destined to EX4000 devices to mitigate high-volume traffic floods. Deploying network-based anomaly detection systems to identify unusual traffic patterns targeting these devices can provide early warning. Isolating vulnerable switches from untrusted networks or restricting management interfaces to trusted IP ranges reduces exposure. Regularly monitoring device logs for watchdog panic messages can help detect attempted exploitation. Additionally, organizations should review and test their network redundancy and failover mechanisms to ensure resilience against device restarts. Coordination with Juniper Networks support for guidance and updates is recommended. Finally, incorporating this vulnerability into incident response plans will improve readiness to respond to potential DoS attacks.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Belgium, Poland, Switzerland
CVE-2026-21913: CWE-1419 Incorrect Initialization of Resource in Juniper Networks Junos OS
Description
An Incorrect Initialization of Resource vulnerability in the Internal Device Manager (IDM) of Juniper Networks Junos OS on EX4000 models allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). On EX4000 models with 48 ports (EX4000-48T, EX4000-48P, EX4000-48MP) a high volume of traffic destined to the device will cause an FXPC crash and restart, which leads to a complete service outage until the device has automatically restarted. The following reboot reason can be seen in the output of 'show chassis routing-engine' and as a log message: reason=0x4000002 reason_string=0x4000002:watchdog + panic with core dump This issue affects Junos OS on EX4000-48T, EX4000-48P and EX4000-48MP: * 24.4 versions before 24.4R2, * 25.2 versions before 25.2R1-S2, 25.2R2. This issue does not affect versions before 24.4R1 as the first Junos OS version for the EX4000 models was 24.4R1.
AI-Powered Analysis
Technical Analysis
CVE-2026-21913 is a vulnerability classified under CWE-1419 (Incorrect Initialization of Resource) found in the Internal Device Manager (IDM) component of Juniper Networks Junos OS running on EX4000-48T, EX4000-48P, and EX4000-48MP switch models. The flaw arises from improper resource initialization that can be triggered by an unauthenticated attacker sending a high volume of network traffic destined to the device. This causes the FXPC (Flexible Packet Control) process to crash and subsequently restart the device, leading to a denial-of-service condition. The device remains unavailable until the automatic reboot completes, causing a complete service outage. The vulnerability affects Junos OS versions starting from 24.4 up to but not including 24.4R2, and versions 25.2 prior to 25.2R1-S2 and 25.2R2. The reboot reason logged is a watchdog panic with a core dump, indicating a forced recovery triggered by the system's internal watchdog timer. Exploitation requires no authentication or user interaction, and the attack vector is purely network-based, making it accessible to remote attackers. Although no exploits have been observed in the wild, the vulnerability's nature and ease of exploitation make it a critical concern for network infrastructure stability.
Potential Impact
For European organizations, this vulnerability poses a significant risk to network availability and operational continuity, especially for those using Juniper EX4000 switches in their core or distribution networks. A successful attack can cause prolonged outages affecting critical services, including enterprise communications, data center connectivity, and internet access. This can disrupt business operations, lead to financial losses, and damage reputation. Sectors such as finance, telecommunications, government, and critical infrastructure operators in Europe are particularly vulnerable due to their reliance on stable network infrastructure. The lack of authentication and user interaction requirements increases the attack surface, allowing potentially any external attacker to disrupt services remotely. Additionally, the automatic reboot may cause cascading failures in highly available network architectures if redundancy is not properly configured or if multiple devices are targeted simultaneously.
Mitigation Recommendations
European organizations should prioritize upgrading affected Junos OS versions to 24.4R2, 25.2R1-S2, 25.2R2, or later where the vulnerability is patched. Until patches are applied, network administrators should implement strict ingress filtering and rate limiting on traffic destined to EX4000 devices to mitigate high-volume traffic floods. Deploying network-based anomaly detection systems to identify unusual traffic patterns targeting these devices can provide early warning. Isolating vulnerable switches from untrusted networks or restricting management interfaces to trusted IP ranges reduces exposure. Regularly monitoring device logs for watchdog panic messages can help detect attempted exploitation. Additionally, organizations should review and test their network redundancy and failover mechanisms to ensure resilience against device restarts. Coordination with Juniper Networks support for guidance and updates is recommended. Finally, incorporating this vulnerability into incident response plans will improve readiness to respond to potential DoS attacks.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- juniper
- Date Reserved
- 2026-01-05T17:32:48.710Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69694e771ab3796b10500157
Added to database: 1/15/2026, 8:30:47 PM
Last enriched: 1/15/2026, 8:45:18 PM
Last updated: 1/15/2026, 9:31:01 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-65368: n/a
MediumCVE-2025-67025: n/a
MediumCVE-2026-21921: CWE-416 Use After Free in Juniper Networks Junos OS
MediumCVE-2026-21920: CWE-252 Unchecked Return Value in Juniper Networks Junos OS
HighCVE-2026-21918: CWE-415 Double Free in Juniper Networks Junos OS
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.