CVE-2026-21914

Jan. 16, 2026, 3:55 p.m.

8.7
High

Description

An Improper Locking vulnerability in the GTP plugin of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (Dos). If an SRX Series device receives a specifically malformed GPRS Tunnelling Protocol (GTP) Modify Bearer Request message, a lock is acquired and never released. This results in other threads not being able to acquire a lock themselves, causing a watchdog timeout leading to FPC crash and restart. This issue leads to a complete traffic outage until the device has automatically recovered. This issue affects Junos OS on SRX Series: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5, * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S3, * 24.4 versions before 24.4R2-S2, * 25.2 versions before 25.2R1-S1, 25.2R2.

Product(s) Impacted

Vendor Product Versions
Juniper Networks
  • Junos Os
  • <22.4R3-S8, 23.2, 23.4, 24.2, 24.4, 25.2

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-667
Improper Locking
The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a juniper_networks junos_os <22.4R3-S8 / / / / / /
a juniper_networks junos_os 23.2 <23.2R2-S5 / / / / / /
a juniper_networks junos_os 23.4 <23.4R2-S6 / / / / / /
a juniper_networks junos_os 24.2 <24.2R2-S3 / / / / / /
a juniper_networks junos_os 24.4 <24.4R2-S2 / / / / / /
a juniper_networks junos_os 25.2 <25.2R1-S1 / / / / / /
a juniper_networks junos_os 25.2 <25.2R2 / / / / / /

References

https://kb.juniper.net/JSA106015
https://supportportal.juniper.net/JSA106015

Tags

[email protected]
CWE-667
2026-01-15
CVE-2026-21914

CVSS Score

8.7 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: NONE
  • Privileges Required: NONE
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: HIGH
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:M/U:X

    View Vector String

Timeline

Published: Jan. 15, 2026, 9:16 p.m.
Last Modified: Jan. 16, 2026, 3:55 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.