Cyber Resilience

CVE-2026-21920

High

Published: 15 January 2026

Published
15 January 2026
Modified
23 January 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:M/U:X
EPSS Score 0.0044 34.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-21920 is a high-severity Unchecked Return Value (CWE-252) vulnerability in Juniper Junos. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 34.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).

Deeper analysis

CVE-2026-21920 is an Unchecked Return Value vulnerability (CWE-252) in the DNS module of Juniper Networks Junos OS on SRX Series devices. It affects Junos OS versions 23.4 prior to 23.4R2-S5, 24.2 prior to 24.2R2-S1, and 24.4 prior to 24.4R2. The vulnerability does not impact Junos OS versions before 23.4R1. The issue has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting high availability impact with no confidentiality or integrity effects.

An unauthenticated, network-based attacker can exploit this vulnerability by sending a specifically formatted DNS request to an SRX Series device configured for DNS processing. This triggers the flowd process to crash and restart, causing a Denial-of-Service (DoS) condition and temporary service interruption until the process recovers.

Juniper Networks has published security advisory JSA106020, accessible at https://kb.juniper.net/JSA106020 and https://supportportal.juniper.net/JSA106020, which details the affected versions and recommends mitigation by upgrading to patched releases such as 23.4R2-S5, 24.2R2-S1, or 24.4R2.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An Unchecked Return Value vulnerability in the DNS module of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). If an SRX Series device configured for DNS processing, receives a specifically formatted…

more

DNS request flowd will crash and restart, which causes a service interruption until the process has recovered. This issue affects Junos OS on SRX Series: * 23.4 versions before 23.4R2-S5, * 24.2 versions before 24.2R2-S1, * 24.4 versions before 24.4R2. This issue does not affect Junos OS versions before 23.4R1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Crafted DNS request exploits unchecked return value in public-facing DNS service on SRX, directly causing flowd crash for endpoint DoS via application exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-21906Same product: Juniper Junos
CVE-2026-33790Same product: Juniper Junos
CVE-2026-21917Same product: Juniper Junos
CVE-2026-21914Same product: Juniper Junos
CVE-2026-21905Same product: Juniper Junos
CVE-2026-21918Same product: Juniper Junos
CVE-2026-33778Same product: Juniper Junos
CVE-2024-39564Same product: Juniper Junos
CVE-2025-60003Same product: Juniper Junos
CVE-2025-21598Same product: Juniper Junos

Affected Assets

juniper
junos
23.4, 24.2, 24.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of the specific unchecked return value flaw in the Junos OS DNS module via patching to affected SRX Series versions.

prevent

Mandates secure error handling to prevent unchecked return values from causing flowd crashes during DNS request processing.

prevent

Enforces validation of DNS request inputs to block specially formatted packets that trigger the DoS vulnerability.

References