CVE-2026-33797
Published: 09 April 2026
Summary
CVE-2026-33797 is a high-severity Improper Input Validation (CWE-20) vulnerability in Juniper Junos. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Denial of Service (T1498); ranked at the 12.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation of information inputs at defined points, directly addressing the improper input validation in BGP packet processing that leads to session reset.
SI-2 mandates timely flaw remediation through patching, enabling upgrades to fixed Junos OS versions that correct the BGP vulnerability.
SC-5 employs techniques to protect against or limit denial-of-service events, mitigating the sustained BGP session resets caused by repeated crafted packets.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables sending crafted BGP packets over established sessions to reset them, directly causing sustained Denial of Service on network routing services, mapping to Network Denial of Service.
NVD Description
An Improper Input Validation vulnerability in Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, adjacent attacker, sending a specific genuine BGP packet in an already established BGP session to reset only that session causing a Denial of…
more
Service (DoS). An attacker repeatedly sending the packet will sustain the Denial of Service (DoS).This issue affects Junos OS: * 25.2 versions before 25.2R2 This issue does not affect Junos OS versions before 25.2R1. This issue affects Junos OS Evolved: * 25.2-EVO versions before 25.2R2-EVO This issue does not affect Junos OS Evolved versions before 25.2R1-EVO. eBGP and iBGP are affected. IPv4 and IPv6 are affected.
Deeper analysisAI
CVE-2026-33797 is an Improper Input Validation vulnerability (CWE-20) in the BGP implementation of Juniper Networks Junos OS and Junos OS Evolved. It affects Junos OS versions 25.2 prior to 25.2R2, as well as Junos OS Evolved versions 25.2-EVO prior to 25.2R2-EVO; earlier versions before 25.2R1 or 25.2R1-EVO respectively are not impacted. Both eBGP and iBGP sessions are vulnerable, as are IPv4 and IPv6 unicast traffic. The issue has a CVSS v3.1 base score of 7.4 (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).
An unauthenticated attacker with adjacent network access can exploit this vulnerability by sending a specifically crafted but genuine BGP packet over an already established BGP session. This causes the targeted BGP session to reset, resulting in a Denial of Service (DoS) condition. Repeated transmission of the packet sustains the DoS, potentially disrupting routing operations for the affected session without impacting other sessions or services.
Juniper Networks advisories JSA107850, available at https://kb.juniper.net/JSA107850 and https://supportportal.juniper.net/JSA107850, detail the issue and recommend upgrading to fixed releases such as Junos OS 25.2R2 or later and Junos OS Evolved 25.2R2-EVO or later. No additional workarounds are specified in the provided information.
Details
- CWE(s)