Juniper Junos OS (EX4k/QFX5k), Improper Check for Unusual or Exceptional Conditions, CVE‑2026‑21910 (Medium) -DC-Jul2026-914

Listen to this Post

CVE‑2026‑21910 is a vulnerability in the packet forwarding engine (PFE) of Juniper Networks Junos OS running on EX4k and QFX5k Series platforms. The flaw stems from an improper check for unusual or exceptional conditions when handling link flap events in an EVPN‑VXLAN environment that uses Link Aggregation Groups (LAGs). Under normal operation, when multiple load‑balanced next‑hop routes exist for the same destination, a link flap (interface going up/down) in the LAG should not disrupt traffic forwarding. However, due to the incorrect condition handling, the PFE enters a state where traffic between VXLAN Network Identifiers (VNIs) is dropped permanently. This issue affects only systems that support EVPN‑VXLAN Virtual Port‑Link Aggregation Groups (VPLAG), such as QFX5110, QFX5120, QFX5200, EX4100, EX4300, EX4400, and EX4650. The attack is triggered by an unauthenticated, network‑adjacent attacker who can physically or logically flap an interface. Once the condition is met, the only recovery method is to restart the affected Flexible PIC Concentrator (FPC) using the `request chassis fpc restart slot ` command; a simple reboot of the entire chassis is not sufficient. The vulnerability affects all Junos OS versions before 21.4R3‑S12, all versions of 22.2, versions from 22.4 before 22.4R3‑S8, from 23.2 before 23.2R2‑S5, and from 23.4 before 23.4R2‑S5. Juniper has released fixed versions that correct the exceptional condition check in the PFE, preventing the traffic drop scenario. The CVSS v3.1 base score is 6.5 (Medium), with the vector AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a network‑adjacent, low‑complexity attack that requires no privileges or user interaction, resulting in a high availability impact.

DailyCVE Form:

Platform: Juniper Junos OS (EX4k/QFX5k)
Version: <21.4R3‑S12, 22.2.x, 22.4<22.4R3‑S8, 23.2<23.2R2‑S5, 23.4<23.4R2‑S5
Vulnerability: Improper Check for Unusual/Exceptional Conditions
Severity: Medium (CVSS 6.5)
Date: 2026‑01‑15
Prediction: Patch available in fixed releases (21.4R3‑S12, 22.4R3‑S8, 23.2R2‑S5, 23.4R2‑S5, etc.)

What Undercode Say:

Analytics:

  • CVSS v3.1 Base Score: 6.5 (Medium)
  • CVSS v4.0 Score: 7.1 (High)
  • EPSS Percentile: 15%
  • Attack Vector: Adjacent Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Impact: Availability (High)

Bash Commands & Code Snippets:

Check current Junos OS version
show version | match "JUNOS"
Verify if the system is running an affected release
show version detail | match "21.4|22.2|22.4|23.2|23.4"
Restart the affected FPC to recover from the DoS condition
request chassis fpc restart slot <slot-number>
Monitor FPC status
show chassis fpc
Example script to detect vulnerable version (bash)
junos_version=$(show version | grep -oP 'JUNOS \K[0-9]+.[0-9]+')
if [[ "$junos_version" =~ ^(21.4|22.2|22.4|23.2|23.4) ]]; then
echo "WARNING: System may be vulnerable to CVE-2026-21910"
else
echo "Version not in known vulnerable range."
fi

Exploit:

An attacker with network adjacency (i.e., on the same broadcast domain) can repeatedly flap a physical or logical interface that is part of an EVPN‑VXLAN VPLAG. By toggling the link state up and down, the attacker forces the PFE to mishandle the exceptional condition, causing all inter‑VNI traffic to be dropped. No authentication is required, and the attack does not depend on any specific payload; it is purely a timing and state‑manipulation attack. Once triggered, the DoS persists until an administrator manually restarts the affected FPC.

Protection:

  • Upgrade to a fixed Junos OS release: 21.4R3‑S12, 22.4R3‑S8, 23.2R2‑S5, 23.4R2‑S5, or any later version that includes the patch .
  • If immediate upgrade is not possible, disable VPLAG or avoid using EVPN‑VXLAN with LAG on the affected platforms.
  • Monitor interface flap events and set up alerts for excessive link toggling.
  • Restrict physical access to network ports to prevent unauthorized link flapping.

Impact:

Successful exploitation leads to a complete loss of traffic between VXLAN segments on the affected switch, effectively isolating parts of the network. The service disruption is persistent and requires manual intervention (FPC restart) to restore normal operation. There is no confidentiality or integrity impact, but the availability of the network is severely compromised, potentially affecting all dependent services and applications.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top