CVE-2026-21908
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-15

Last updated on: 2026-01-15

Assigner: Juniper Networks, Inc.

Description
A Use After Free vulnerability was identified in the 802.1X authentication daemon (dot1xd) of Juniper Networks Junos OS and Junos OS Evolved that could allow an authenticated, network-adjacent attacker flapping a port to crash the dot1xd process, leading to a Denial of Service (DoS), or potentially execute arbitrary code within the context of the process running as root. The issue is specific to the processing of a change in authorization (CoA) when a port bounce occurs. A pointer is freed but was then referenced later in the same code path. Successful exploitation is outside the attacker's direct control due to the specific timing of the two events required to execute the vulnerable code path. This issue affects systems with 802.1X authentication port-based network access control (PNAC) enabled. This issue affects: Junos OS:  * from 23.2R2-S1 before 23.2R2-S5,  * from 23.4R2 before 23.4R2-S6,  * from 24.2 before 24.2R2-S3,  * from 24.4 before 24.4R2-S1,  * from 25.2 before 25.2R1-S2, 25.2R2;  Junos OS Evolved:  * from 23.2R2-S1 before 23.2R2-S5-EVO,  * from 23.4R2 before 23.4R2-S6-EVO,  * from 24.2 before 24.2R2-S3-EVO,  * from 24.4 before 24.4R2-S1-EVO,  * from 25.2 before 25.2R1-S2-EVO, 25.2R2-EVO.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-15
Last Modified
2026-01-15
Generated
2026-05-07
AI Q&A
2026-01-16
EPSS Evaluated
2026-05-05
NVD
CVE-2026-21908
EUVD
EUVD-2026-2690
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
juniper junoss to 23.2r2-s5 (exc)
juniper junoss to 23.4r2-s6 (exc)
juniper junoss to 24.2r2-s3 (exc)
juniper junoss to 24.4r2-s1 (exc)
juniper junoss to 25.2r1-s2 (exc)
juniper junoss From 25.2r2 (inc)
juniper junosevolved to 23.2r2-s5-evo (exc)
juniper junosevolved to 23.4r2-s6-evo (exc)
juniper junosevolved to 24.2r2-s3-evo (exc)
juniper junosevolved to 24.4r2-s1-evo (exc)
juniper junosevolved to 25.2r1-s2-evo (exc)
juniper junosevolved From 25.2r2-evo (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a Use After Free issue in the 802.1X authentication daemon (dot1xd) of Juniper Networks Junos OS and Junos OS Evolved. It occurs when a pointer is freed but then later referenced during the processing of a change in authorization (CoA) triggered by a port bounce. An authenticated, network-adjacent attacker who repeatedly flaps a port could exploit this flaw to crash the dot1xd process, causing a Denial of Service (DoS), or potentially execute arbitrary code with root privileges. However, successful exploitation requires precise timing of events and is not fully under the attacker's control.


How can this vulnerability impact me? :

The vulnerability can impact you by allowing an authenticated, network-adjacent attacker to cause a Denial of Service (DoS) by crashing the 802.1X authentication daemon (dot1xd). In a worst-case scenario, the attacker might also execute arbitrary code with root privileges, potentially compromising the affected system's security and control.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart