Cyber Resilience

CVE-2024-39564

High

Published: 05 February 2025

Published
05 February 2025
Modified
26 January 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:X/RE:X/U:X
EPSS Score 0.0034 57.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-39564 is a high-severity Double Free (CWE-415) vulnerability in Juniper Junos. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 42.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-39564 is a double-free vulnerability in the routing process daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved. The issue, which is similar but distinct from CVE-2024-39549, occurs when an attacker sends a malformed BGP Path attribute update that allocates memory for logging the invalid attribute, triggering a double-free condition and causing an rpd crash. It affects Junos OS versions from 22.4 prior to 22.4R3-S4 and Junos OS Evolved versions from 22.4 prior to 22.4R3-S4-EVO.

A remote, unauthenticated attacker with network access can exploit this vulnerability by transmitting the malformed BGP update, leading to a denial of service (DoS) through the rpd process crash. The CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects its high availability impact, low attack complexity, and lack of required privileges, making it feasible for attackers able to reach BGP sessions.

Juniper's advisory JSA83011 provides details on mitigation, available at https://supportportal.juniper.net/JSA83011. Affected systems should be upgraded to Junos OS 22.4R3-S4 or later, or Junos OS Evolved 22.4R3-S4-EVO or later, to address the vulnerability.

EU & UK References

Vulnerability details

This is a similar, but different vulnerability than the issue reported as CVE-2024-39549. A double-free vulnerability in the routing process daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an attacker to send a malformed BGP Path…

more

attribute update which allocates memory used to log the bad path attribute. This double free of memory is causing an rpd crash, leading to a Denial of Service (DoS). This issue affects: Junos OS: * from 22.4 before 22.4R3-S4. Junos OS Evolved: * from 22.4 before 22.4R3-S4-EVO.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Malformed BGP update triggers double-free crash in rpd, directly enabling application exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21598Same product: Juniper Junos
CVE-2025-60003Same product: Juniper Junos
CVE-2026-33797Same product: Juniper Junos
CVE-2025-59960Same product: Juniper Junos
CVE-2026-33793Same product: Juniper Junos
CVE-2026-21908Same product: Juniper Junos
CVE-2026-21918Same product: Juniper Junos
CVE-2026-21913Same product: Juniper Junos
CVE-2026-33790Same product: Juniper Junos
CVE-2026-21906Same product: Juniper Junos

Affected Assets

juniper
junos
21.2, 21.4, 22.2, 22.3, 22.4 · ≤ 21.2
juniper
junos os evolved
21.2, 21.4, 22.2, 22.3, 22.4 · ≤ 21.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation through vendor patches directly eliminates the double-free vulnerability in the rpd process triggered by malformed BGP updates.

prevent

Memory protection safeguards such as safe unlinking and heap integrity checks mitigate the impact of double-free conditions in the rpd daemon.

prevent

Input validation of BGP path attributes prevents malformed updates from reaching the logging mechanism that triggers the double-free.

References