Cyber Resilience

CVE-2026-21914

High

Published: 15 January 2026

Published
15 January 2026
Modified
23 January 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:M/U:X
EPSS Score 0.0030 21.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-21914 is a high-severity Improper Locking (CWE-667) vulnerability in Juniper Junos. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-21914 is an Improper Locking vulnerability (CWE-667) in the GTP plugin of Juniper Networks Junos OS on SRX Series devices. It affects all versions prior to 22.4R3-S8, 23.2 versions before 23.2R2-S5, 23.4 versions before 23.4R2-S6, 24.2 versions before 24.2R2-S3, 24.4 versions before 24.4R2-S2, and 25.2 versions before 25.2R1-S1 or 25.2R2. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and was published on 2026-01-15.

An unauthenticated, network-based attacker can exploit this vulnerability by sending a specifically malformed GPRS Tunnelling Protocol (GTP) Modify Bearer Request message to an SRX Series device. This causes a lock to be acquired and never released in the GTP plugin, preventing other threads from acquiring the lock, which triggers a watchdog timeout. The result is an FPC crash and restart, leading to a complete traffic outage until the device automatically recovers, effectively causing a Denial-of-Service (DoS).

Juniper's security advisory JSA106015, available at kb.juniper.net/JSA106015 and supportportal.juniper.net/JSA106015, details the issue and confirms that it is resolved in the listed patched versions of Junos OS on SRX Series devices. Security practitioners should upgrade affected systems to these versions to mitigate the vulnerability.

EU & UK References

Vulnerability details

An Improper Locking vulnerability in the GTP plugin of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (Dos). If an SRX Series device receives a specifically malformed GPRS Tunnelling Protocol (GTP) Modify…

more

Bearer Request message, a lock is acquired and never released. This results in other threads not being able to acquire a lock themselves, causing a watchdog timeout leading to FPC crash and restart. This issue leads to a complete traffic outage until the device has automatically recovered. This issue affects Junos OS on SRX Series: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5, * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S3, * 24.4 versions before 24.4R2-S2, * 25.2 versions before 25.2R1-S1, 25.2R2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Malformed GTP packet triggers improper lock leading to crash; directly enables remote exploitation of public-facing service for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-21917Same product: Juniper Junos
CVE-2026-21906Same product: Juniper Junos
CVE-2026-33790Same product: Juniper Junos
CVE-2026-21920Same product: Juniper Junos
CVE-2026-21905Same product: Juniper Junos
CVE-2026-21918Same product: Juniper Junos
CVE-2026-33778Same product: Juniper Junos
CVE-2024-39564Same product: Juniper Junos
CVE-2025-60003Same product: Juniper Junos
CVE-2025-21598Same product: Juniper Junos

Affected Assets

juniper
junos
22.4, 23.2, 23.4, 24.2, 24.4 · ≤ 22.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor patches that eliminate the improper-locking flaw in the GTP plugin.

prevent

Mandates validation of all input (including GTP Modify Bearer Request messages) so malformed packets cannot trigger the unreleased lock and subsequent FPC crash.

prevent

Requires mechanisms that limit the impact of network-based DoS conditions on system availability, mitigating the traffic outage caused by the watchdog timeout.

References