CVE-2026-57020 in Junos OSinfo

Summary

by MITRE • 07/10/2026

An Improper Check for Unusual or Exceptional Conditions vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on QFX10000 Series allows an unauthenticated, adjacent attacker to cause a Denial-of-Service (DoS).

On all QFX10000 platforms in an EVPN-VxLAN scenario, if an attacker sends IPv6 multicast traffic and these packets reach the non-IRB interface of a spine switch it floods the packet to other spines and all Ethernet Segment Identifier (ESI) leaf switches. This flooding causes the packet to be forwarded in a endless loop, which can lead to saturation of the involved links and in turn impact to legitimate traffic.



This issue affects Junos OS on QFX10000 Series:


* all versions before 23.2R2-S7, * 23.4 versions before 23.4R2-S8, * 24.2 versions before 24.2R2-S4, * 24.4 versions before 24.4R2-S4.



This issue does not affect Junos version after 24.4 as the QFX10000 Series devices are not supported on newer versions anymore.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/10/2026

The vulnerability under examination represents an improper check for unusual or exceptional conditions within the packet forwarding engine of Juniper Networks Junos OS running on QFX10000 Series switches. This weakness manifests specifically in EVPN-VxLAN network environments where the system fails to properly validate incoming IPv6 multicast traffic destined for non-IRB interfaces on spine switches. The flaw operates at the fundamental level of packet processing logic, where normal network behavior becomes disrupted by malformed or unexpected traffic patterns that trigger abnormal forwarding mechanisms.

The technical execution of this vulnerability occurs when an adjacent attacker crafts and transmits IPv6 multicast packets to a non-IRB interface of a spine switch within an EVPN-VxLAN topology. The system's packet forwarding engine lacks adequate validation mechanisms to detect this exceptional condition, causing it to flood the malicious packet throughout the entire network infrastructure. This flooding behavior creates a recursive forwarding loop where packets continuously circulate between spine switches and all connected Ethernet Segment Identifier leaf switches, resulting in an infinite packet propagation cycle that rapidly consumes available network bandwidth.

The operational impact of this vulnerability extends beyond simple service disruption to create severe performance degradation across affected networks. The endless packet looping causes saturation of network links as traffic volume exponentially increases, effectively rendering the affected infrastructure incapable of handling legitimate traffic flows. Network administrators may observe complete loss of connectivity between switches, intermittent service outages, and significant degradation of overall network performance that impacts business-critical applications relying on these forwarding devices.

This vulnerability aligns with CWE-703, Improper Check for Unusual Conditions, which describes situations where software fails to detect or properly handle exceptional circumstances that could lead to system instability or denial of service. The attack pattern follows the ATT&CK technique T1498, Network Denial of Service, specifically targeting infrastructure components through malformed traffic injection. The affected Junos OS versions demonstrate a clear regression in defensive mechanisms that should have been implemented in network forwarding engines to prevent such recursive packet handling scenarios.

Mitigation strategies must focus on immediate software updates to patched versions including 23.2R2-S7, 23.4R2-S8, 24.2R2-S4, and 24.4R2-S4, as well as network segmentation and access control measures to limit adjacent attacker access to affected interfaces. Network administrators should implement ingress filtering policies to restrict IPv6 multicast traffic at network boundaries and consider implementing rate limiting mechanisms on non-IRB interfaces to prevent rapid packet flooding. Additionally, monitoring systems should be enhanced to detect unusual packet looping patterns that could indicate exploitation attempts.

The vulnerability highlights the critical importance of robust input validation in network forwarding engines, particularly in complex overlay networks like EVPN-VxLAN where packet handling logic becomes increasingly sophisticated and prone to edge case failures. Network security teams must recognize that vulnerabilities in forwarding planes can have cascading effects across entire network topologies, making early detection and remediation essential for maintaining operational continuity. Organizations should also implement comprehensive testing procedures for network firmware updates to ensure that defensive mechanisms remain effective against known attack patterns while maintaining expected network functionality.

Responsible

Juniper

Reservation

06/23/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!