CVE-2026-33800 in Junos OSinfo

Summary

by MITRE • 07/10/2026

An Unchecked Input for Loop Condition vulnerability in the Packet Forwarding Engine (pfe) of Juniper Networks Junos OS on MX Series allows an unauthenticated, adjacent attacker to cause a Denial-of-Service (DoS).Micro-BFD session flaps generate respective up/down events which are queued by PFEMAN for processing. Especially in a Virtual-Chassis (VC) scenario with locality‑bias configured, processing takes a significant amount of time for each event. If these sessions keep flapping, new events are constantly added, and in turn PFEMAN never completes processing these events. This results in the PFEMAN watchdog timer expiring, which causes the FPC to crash and restart, representing a complete service outage.


This issue only affects MX series FPCs up to and including MPC9. It does not affect MPC10/11, LC4800/9600 and MX304.

This issue affects Junos OS on MX Series:


* all versions before 23.2R2-S7, * 23.4 versions before 23.4R2-S8, * 24.2 versions before 24.2R2-S4, * 24.4 versions before 24.4R2-S3, * 25.2 versions before 25.2R2.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

The vulnerability under discussion represents a critical unchecked input for loop condition flaw within the Packet Forwarding Engine (pfe) of Juniper Networks Junos OS operating on MX Series routers. This security weakness specifically targets the PFEMAN component responsible for processing Micro-BFD session events, creating a scenario where an unauthenticated attacker positioned in the same network segment can trigger sustained denial-of-service conditions. The vulnerability manifests through the improper handling of session flap events that are queued for processing by PFEMAN, where each event requires significant processing time particularly in Virtual-Chassis configurations with locality-bias enabled.

The technical exploitation occurs when Micro-BFD sessions continuously flap between up and down states, generating respective events that accumulate in PFEMAN's processing queue. In Virtual-Chassis scenarios with locality-bias configured, the processing overhead for each event becomes substantially higher due to the additional coordination requirements between different FPCs in the chassis. This creates a cascading effect where new events are continuously added to the queue while the system attempts to process existing ones, resulting in an infinite loop condition that prevents proper event handling. The vulnerability is particularly dangerous because it operates at the hardware level within the FPC (Flexible Packet Controller) components, making it difficult to detect and mitigate through traditional software-based approaches.

The operational impact of this vulnerability extends beyond simple service disruption to encompass complete system outages that can severely affect network availability and reliability. When PFEMAN becomes overwhelmed with processing tasks due to continuous event queuing, the watchdog timer eventually expires, triggering an automatic restart of the affected FPC module. This restart process results in complete service interruption as routing operations cease until the system recovers and re-establishes normal forwarding functionality. The vulnerability affects only specific hardware platforms including MX series FPCs up to and including MPC9, excluding newer models such as MPC10/11, LC4800/9600, and MX304, which suggests that the issue was addressed in later hardware generations or software versions.

The root cause of this vulnerability aligns with CWE-707, specifically the weakness related to improper handling of input for loop conditions where the validation mechanism fails to properly check the termination criteria for processing loops. This flaw directly enables an attacker to manipulate system resources through controlled input patterns that create resource exhaustion conditions. From an ATT&CK framework perspective, this vulnerability maps to T1499.004 (Endpoint Denial of Service) and T1566.002 (Phishing via Social Engineering), as the attack requires physical proximity or network access to trigger but can cause significant service disruption. The vulnerability also demonstrates characteristics consistent with T1070.004 (Indicator Removal on Host) through its ability to create persistent resource starvation conditions that may mask other security issues.

Mitigation strategies for this vulnerability should focus on immediate software upgrades to patched versions of Junos OS as specified in the advisory, including versions 23.2R2-S7, 23.4R2-S8, 24.2R2-S4, 24.4R2-S3, and 25.2R2. Network administrators should also implement monitoring solutions to detect abnormal BFD session flapping patterns that could indicate exploitation attempts. Additional protective measures include disabling unnecessary Micro-BFD sessions where possible and implementing network segmentation to limit the attack surface. The vulnerability highlights the importance of proper input validation in system-level components and demonstrates how seemingly minor processing flaws can result in catastrophic service disruption, particularly in high-availability network environments where continuous operation is critical for business continuity.

Responsible

Juniper

Reservation

03/23/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!