CVE-2026-33794 in Junos OS Evolvedinfo

Summary

by MITRE • 07/10/2026

An Improper Check for Unusual or Exceptional Conditions vulnerability in the

advanced forwarding toolkit (evo-aftmand)

of Juniper Networks Junos OS Evolved on PTX Series allows an unauthenticated network-based attacker generating continuous routing updates, resulting in unilist ECMP routes, to crash the

evo-aftmand process on the PFE, leading to a Denial-of-Service (DoS). The conditions required for successful exploitation are based on a sequence of events that are outside an attacker's direct control.

Unified list (unilist) ECMP routes are a specific ECMP behavior where multiple equal-cost routes share a single logical next-hop list entry. The router treats them as one route with multiple next hops and load balances traffic across that unified list. Due to an issue processing unilist ECMP routing updates, internal state corruption may occur, especially in large-scale ECMP unilist deployments, leading to the evo-aftmand process crashing, resulting in an evo-aftmand-bx core. Manual intervention is required to recover by rebooting the system or restarting the FPC.

This issue affects Junos OS Evolved on PTX :


* from 24.4R2-EVO before 24.4R2-S3-EVO; * from 25.2 before 25.2R2-EVO.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

The vulnerability under examination represents an improper check for unusual or exceptional conditions within Juniper Networks' advanced forwarding toolkit component known as evo-aftmand in the Junos OS Evolved operating system specifically deployed on PTX Series devices. This flaw manifests as a denial-of-service condition that can be triggered by unauthenticated network-based attackers who generate continuous routing updates designed to create unilist ECMP routes. The technical implementation of this vulnerability resides in the insufficient validation mechanisms within the evo-aftmand process, which fails to properly handle exceptional routing update sequences that result in internal state corruption.

The exploitation of this vulnerability requires a specific sequence of events that are not directly controllable by the attacker, making it more challenging to execute but still possible under certain network conditions. Unilist ECMP routes represent a particular routing behavior where multiple equal-cost paths are consolidated into a single logical next-hop list entry, enabling load balancing across multiple destinations. This feature becomes problematic when processing continuous routing updates because the internal state management within evo-aftmand does not adequately account for the complex interactions that occur during large-scale unilist ECMP deployments.

The operational impact of this vulnerability is significant as it results in the complete crash of the evo-aftmand process on the Packet Forwarding Engine, creating what is known as an evo-aftmand-bx core dump. This failure mode effectively renders the routing functionality unavailable until manual intervention occurs through system reboot or FPC restart procedures. The vulnerability affects specific software versions including releases from 24.4R2-EVO before 24.4R2-S3-EVO and versions from 25.2 before 25.2R2-EVO, indicating that the flaw has existed across multiple release branches and requires targeted patching for remediation.

From a cybersecurity perspective, this vulnerability aligns with CWE-703 (Improper Check or Handling of Exceptional Conditions) and represents a classic example of inadequate error handling in network infrastructure software. The ATT&CK framework categorizes this as a Denial of Service attack vector through process corruption, specifically leveraging route manipulation techniques to disrupt network operations. The requirement for continuous routing updates suggests that this vulnerability may be more prevalent in dynamic network environments where frequent route changes occur, making it particularly concerning for service providers and enterprise networks that rely heavily on ECMP routing for traffic distribution and redundancy.

The underlying technical flaw demonstrates a failure in the software's defensive programming practices, where exceptional conditions during routing update processing are not properly anticipated or handled. This type of vulnerability is particularly dangerous because it can cause cascading failures within network infrastructure, potentially affecting multiple network segments if the evo-aftmand process controls critical forwarding operations. The fact that recovery requires manual intervention indicates that the system does not have adequate self-healing mechanisms to recover from this specific state corruption, which could lead to extended service disruption times and potential impact on network availability metrics.

Network administrators should implement monitoring solutions to detect unusual routing update patterns that might indicate exploitation attempts, while also preparing for potential service disruptions during patch deployment windows. The vulnerability highlights the importance of robust error handling in network operating systems, particularly when dealing with complex routing behaviors such as ECMP unilist operations. Organizations should prioritize upgrading affected systems to patched versions while maintaining awareness of similar vulnerabilities in other networking components that may exhibit comparable failure modes in their exception handling mechanisms.

Responsible

Juniper

Reservation

03/23/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!