CVE-2026-21908
Published: 15 January 2026
Summary
CVE-2026-21908 is a high-severity Use After Free (CWE-416) vulnerability in Juniper Junos. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Use-after-free exploits that achieve arbitrary code execution are blocked or significantly hardened by non-executable pages and ASLR.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
UAF in root-privileged dot1xd daemon directly enables remote exploitation by authenticated adjacent attacker for RCE (privilege escalation) or DoS via crafted CoA/port events.
NVD Description
A Use After Free vulnerability was identified in the 802.1X authentication daemon (dot1xd) of Juniper Networks Junos OS and Junos OS Evolved that could allow an authenticated, network-adjacent attacker flapping a port to crash the dot1xd process, leading to a…
more
Denial of Service (DoS), or potentially execute arbitrary code within the context of the process running as root. The issue is specific to the processing of a change in authorization (CoA) when a port bounce occurs. A pointer is freed but was then referenced later in the same code path. Successful exploitation is outside the attacker's direct control due to the specific timing of the two events required to execute the vulnerable code path. This issue affects systems with 802.1X authentication port-based network access control (PNAC) enabled. This issue affects: Junos OS: * from 23.2R2-S1 before 23.2R2-S5, * from 23.4R2 before 23.4R2-S6, * from 24.2 before 24.2R2-S3, * from 24.4 before 24.4R2-S1, * from 25.2 before 25.2R1-S2, 25.2R2; Junos OS Evolved: * from 23.2R2-S1 before 23.2R2-S5-EVO, * from 23.4R2 before 23.4R2-S6-EVO, * from 24.2 before 24.2R2-S3-EVO, * from 24.4 before 24.4R2-S1-EVO, * from 25.2 before 25.2R1-S2-EVO, 25.2R2-EVO.
Deeper analysisAI
CVE-2026-21908 is a Use After Free vulnerability (CWE-416) in the 802.1X authentication daemon (dot1xd) of Juniper Networks Junos OS and Junos OS Evolved. The flaw occurs during processing of a change in authorization (CoA) event coinciding with a port bounce, where a pointer is freed but later referenced in the same code path. It affects systems with 802.1X authentication port-based network access control (PNAC) enabled, specifically Junos OS versions from 23.2R2-S1 before 23.2R2-S5, from 23.4R2 before 23.4R2-S6, from 24.2 before 24.2R2-S3, from 24.4 before 24.4R2-S1, and from 25.2 before 25.2R1-S2 or 25.2R2; and Junos OS Evolved versions from 23.2R2-S1 before 23.2R2-S5-EVO, from 23.4R2 before 23.4R2-S6-EVO, from 24.2 before 24.2R2-S3-EVO, from 24.4 before 24.4R2-S1-EVO, and from 25.2 before 25.2R1-S2-EVO or 25.2R2-EVO. The vulnerability has a CVSS v3.1 base score of 7.1 (AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
An authenticated, network-adjacent attacker can exploit this by flapping a port, potentially crashing the dot1xd process and causing a Denial of Service (DoS), or achieving arbitrary code execution within the context of the root-privileged process. Exploitation requires precise timing between the CoA event and port bounce to trigger the vulnerable code path, placing successful attacks outside the attacker's direct control.
Mitigation details, including patches for affected versions, are provided in Juniper Security Advisory JSA106007, accessible at https://kb.juniper.net/JSA106007 and https://supportportal.juniper.net/JSA106007.
Details
- CWE(s)