CVE-2026-21914
BaseFortify
Publication date: 2026-01-15
Last updated on: 2026-01-15
Assigner: Juniper Networks, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| juniper_networks | junos_os | to 22.4R3-S8 (exc) |
| juniper_networks | junos_os | to 23.2R2-S5 (exc) |
| juniper_networks | junos_os | to 23.4R2-S6 (exc) |
| juniper_networks | junos_os | to 24.2R2-S3 (exc) |
| juniper_networks | junos_os | to 24.4R2-S2 (exc) |
| juniper_networks | junos_os | to 25.2R1-S1 (exc) |
| juniper_networks | junos_os | to 25.2R2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-667 | The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Improper Locking issue in the GTP plugin of Juniper Networks Junos OS on SRX Series devices. An unauthenticated attacker can send a specially malformed GPRS Tunnelling Protocol (GTP) Modify Bearer Request message that causes a lock to be acquired and never released. This prevents other threads from acquiring the lock, leading to a watchdog timeout, which causes the FPC (Flexible PIC Concentrator) to crash and restart.
How can this vulnerability impact me? :
The impact of this vulnerability is a Denial-of-Service (DoS) condition. When exploited, it causes the affected device to experience a complete traffic outage until it automatically recovers from the FPC crash and restart. This means network services relying on the SRX Series device could be disrupted temporarily.