CVE-2026-21905
Published: 15 January 2026
Summary
CVE-2026-21905 is a high-severity Infinite Loop (CWE-835) vulnerability in Juniper Junos. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-21905 is a Loop with Unreachable Exit Condition (infinite loop) vulnerability, classified under CWE-835, in the Session Initiation Protocol (SIP) application layer gateway (ALG) of Juniper Networks Junos OS. It affects SRX Series devices and MX Series routers equipped with MX-SPC3 or MS-MPC service cards. The vulnerability arises when the SIP ALG incorrectly parses multiple SIP headers in messages received over TCP, leading to a continuous parsing loop that triggers a watchdog timer expiration. This crashes the flowd process on SRX Series and MX Series with MX-SPC3, or the mspmand process on MX Series with MS-MPC. The issue does not affect SIP messages over UDP and has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Vulnerable versions include all releases prior to 21.2R3-S10, and specific ranges in the 21.4, 22.4, 23.2, 23.4, 24.2, 24.4, and 25.2 series.
An unauthenticated, network-based attacker can exploit this vulnerability by sending crafted SIP messages over TCP to a vulnerable device. Receipt of multiple such messages triggers the infinite loop in the SIP ALG, causing the flow management process to crash and resulting in a Denial of Service (DoS) condition. The crash disrupts traffic processing on the affected service cards, potentially impacting SIP-related traffic forwarding until the process restarts.
Juniper Security Advisory JSA106004, available at kb.juniper.net/JSA106004 and supportportal.juniper.net/JSA106004, details the affected versions and recommends upgrading to a fixed release, such as 21.2R3-S10 or later non-vulnerable versions in the specified series, to mitigate the issue. No workarounds are mentioned in the provided information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2687
Vulnerability details
A Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in the SIP application layer gateway (ALG) of Juniper Networks Junos OS on SRX Series and MX Series with MX-SPC3 or MS-MPC allows an unauthenticated network-based attacker sending specific SIP messages…
more
over TCP to crash the flow management process, leading to a Denial of Service (DoS). On SRX Series, and MX Series with MX-SPC3 or MS-MPC service cards, receipt of multiple SIP messages causes the SIP headers to be parsed incorrectly, eventually causing a continuous loop and leading to a watchdog timer expiration, crashing the flowd process on SRX Series and MX Series with MX-SPC3, or mspmand process on MX Series with MS-MPC. This issue only occurs over TCP. SIP messages sent over UDP cannot trigger this issue. This issue affects Junos OS on SRX Series and MX Series with MX-SPC3 and MS-MPC: * all versions before 21.2R3-S10, * from 21.4 before 21.4R3-S12, * from 22.4 before 22.4R3-S8, * from 23.2 before 23.2R2-S5, * from 23.4 before 23.4R2-S6, * from 24.2 before 24.2R2-S3, * from 24.4 before 24.4R2-S1, * from 25.2 before 25.2R1-S1, 25.2R2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote unauthenticated exploitation of a public-facing SIP ALG service on network devices (T1190) to trigger process crash via crafted input, resulting in endpoint DoS (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by requiring timely flaw remediation through vendor patches to fix the infinite loop in SIP ALG parsing.
Requires validation of SIP message inputs to prevent malformed headers from triggering the unreachable exit condition loop.
Protects against the DoS caused by flowd or mspmand process crashes from crafted TCP SIP messages.