This vulnerability (CVE-2026-33778) in Juniper Networks Junos OS arises from improper validation of syntactic correctness of input in the IPsec library components kmd and iked. When an affected device receives a malformed initial ISAKMP packet, the kmd/iked processes crash and restart, causing a denial of service by temporarily preventing new security associations. Repeatedly triggering this condition leads to a complete inability to establish new VPN connections. The issue affects Junos OS on SRX and MX Series devices across multiple versions before the following fixed releases: 22.4R3-S9, 23.2R2-S6, 23.4R2-S7, 24.2R2-S4, 24.4R2-S3, and 25.2R1-S2/25.2R2. The CVSS v3.1 score is 7.5 (High), reflecting network attack vector, low attack complexity, no privileges or user interaction required, and impact on availability only. Juniper manages remediation for this cloud-hosted service, and a patch is available.

An unauthenticated attacker can cause the kmd and iked processes to crash and restart by sending a malformed ISAKMP packet, resulting in a denial of service. This disrupts the establishment of new VPN security associations, and repeated exploitation can completely prevent new VPN connections from being established. There is no impact on confidentiality or integrity reported. No known exploits are currently observed in the wild.

A patch is available for this vulnerability in the specified Junos OS versions. Juniper Networks manages remediation for this cloud-hosted service, so customers should verify that their devices are updated to the fixed versions: 22.4R3-S9, 23.2R2-S6, 23.4R2-S7, 24.2R2-S4, 24.4R2-S3, or 25.2R1-S2/25.2R2. Check the official Juniper advisory for the latest remediation guidance and apply updates accordingly.