CVE-2026-21901
Awaiting Analysis Awaiting Analysis - Queue

NULL Pointer Dereference in Juniper Junos OS SSH Daemon

Vulnerability report for CVE-2026-21901, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-10

Assigner: Juniper Networks, Inc.

Description

A NULL Pointer Dereference vulnerability in the management daemon (mgd) of Juniper Networks Junos OS and Junos OS Evolved allows a local, high-privileged attacker setting or deactivating a specific SSH configuration parameter to create a Denial of Service (DoS). A local high-privileged user configuring or deactivating a specific 'system services ssh' configuration parameter can exploit a null pointer dereference in one of the functions used by SSH. The function attempts to dereference a null pointer when accessing certain configuration data, resulting in an mgd process crash and restart. Continued execution of these configuration commands will create a sustained Denial of Service (DoS) condition. This issue affects: Junos OS: * from 22.3 before 22.3R3-S5; * from 22.4 before 22.4R3-S10; * from 23.2 before 23.2R2-S7; * from 23.4 before 23.4R2-S8. This issue does not affect Junos OS before 22.3R1. Junos OS Evolved: * from 22.3R1-EVO before 23.2R2-S7-EVO; * from 23.4 before 23.4R2-S8-EVO. This issue does not affect Junos OS Evolved before 22.3R1-EVO.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
juniper junos_os From 22.3 (inc) to 22.3R3-S5 (exc)
juniper junos_os From 22.4 (inc) to 22.4R3-S10 (exc)
juniper junos_os From 23.2 (inc) to 23.2R2-S7 (exc)
juniper junos_os From 23.4 (inc) to 23.4R2-S8 (exc)
juniper junos_os_evolved From 22.3R1-EVO (inc) to 23.2R2-S7-EVO (exc)
juniper junos_os_evolved From 23.4 (inc) to 23.4R2-S8-EVO (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a NULL Pointer Dereference in the management daemon (mgd) of Juniper Networks Junos OS and Junos OS Evolved. It occurs when a local, high-privileged user sets or deactivates a specific SSH configuration parameter. The vulnerability causes the mgd process to crash and restart because the function handling the SSH configuration attempts to dereference a null pointer. Repeated execution of these configuration commands can create a sustained Denial of Service (DoS) condition.

Impact Analysis

The impact of this vulnerability is a Denial of Service (DoS) condition on the affected Junos OS or Junos OS Evolved device. A local, high-privileged attacker can cause the management daemon to crash and restart repeatedly by exploiting this issue, potentially disrupting management access and operations on the device.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by checking if the management daemon (mgd) process crashes or restarts unexpectedly when specific SSH configuration parameters are set or deactivated.

Specifically, an administrator can attempt to set the 'authorized-principals-command' SSH parameter to a file path using the CLI. If this causes the mgd daemon to crash or restart, the system is vulnerable.

Since the vulnerability requires administrative privileges, detection commands would involve using Junos OS CLI commands to configure SSH parameters and monitoring the mgd process.

  • Use the Junos CLI to set the authorized-principals-command parameter, for example: 'set system services ssh authorized-principals-command /path/to/file'
  • Monitor the mgd process for crashes or restarts after applying the configuration.
  • Check system logs for segmentation faults (SIGSEGV) related to mgd or for mgd process restarts.
Mitigation Strategies

Immediate mitigation steps include upgrading affected Junos OS or Junos OS Evolved versions to the fixed releases such as 23.4R2-S8, 22.4R3-S10, or later.

Since no direct workarounds exist, it is recommended to limit CLI access to trusted hosts and administrators to reduce the risk of exploitation.

Avoid setting or deactivating the specific SSH configuration parameter 'authorized-principals-command' until the system is patched.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21901. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart