CVE-2026-21918
Published: 15 January 2026
Summary
CVE-2026-21918 is a high-severity Double Free (CWE-415) vulnerability in Juniper Junos. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-21918 is a Double Free vulnerability (CWE-415) in the flow processing daemon (flowd) of Juniper Networks Junos OS on SRX and MX Series platforms. The issue occurs when a specific sequence of packets is encountered during TCP session establishment, triggering a double free that causes flowd to crash and the respective Flexible PIC Concentrator (FPC) to restart. This affects all versions of Junos OS prior to 22.4R3-S7, 23.2 versions before 23.2R2-S3, 23.4 versions before 23.4R2-S4, and 24.2 versions before 24.2R2. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
An unauthenticated, network-based attacker can exploit this vulnerability by sending the specific sequence of packets during TCP session establishment to any affected SRX or MX Series device. Successful exploitation results in a Denial-of-Service (DoS) condition, as the flowd crash and FPC restart disrupt traffic processing on the targeted platform.
Juniper's security advisory JSA106018, available at kb.juniper.net/JSA106018 and supportportal.juniper.net/JSA106018, details the affected versions and recommends upgrading to a patched release such as Junos OS 22.4R3-S7 or later, 23.2R2-S3 or later, 23.4R2-S4 or later, or 24.2R2 or later to mitigate the issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2697
Vulnerability details
A Double Free vulnerability in the flow processing daemon (flowd) of Juniper Networks Junos OS on SRX and MX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). On all SRX and MX Series platforms, when during TCP…
more
session establishment a specific sequence of packets is encountered a double free happens. This causes flowd to crash and the respective FPC to restart. This issue affects Junos OS on SRX and MX Series: * all versions before 22.4R3-S7, * 23.2 versions before 23.2R2-S3, * 23.4 versions before 23.4R2-S4, * 24.2 versions before 24.2R2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated packet sequence triggers double-free crash in public-facing flowd daemon (T1190), directly resulting in application/system DoS via exploitation (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely installation of vendor patches to remediate the double free vulnerability in the flowd daemon as recommended in Juniper advisory JSA106018.
Implements denial-of-service protections such as rate limiting and packet filtering to block the specific sequence of TCP packets that trigger the flowd crash.
Monitors system resources and events to detect flowd crashes, FPC restarts, or anomalous TCP session patterns indicative of exploitation attempts.