CVE-2026-57027 in Junos OSinfo

Summary

by MITRE • 07/10/2026

A Missing Release of Memory after Effective Lifetime vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on specific EX Series devices allows an unauthenticated adjacent attacker to cause a Denial-of-Service (DoS).When sFlow is configured in a Virtual Chassis (VC) scenario with EX4100 Series or EX4400 Series devices, multicast traffic which is received on one VC member and sent out on another member leads to a memory leak and ultimately an FPC crash and restart.

The leak can be monitored by watching the continuous increase of the buffer values in the output of:

user@host> show chassis fpc This issue affects Junos OS on EX4100 Series and EX4400:


* all versions before 23.2R2-S7, * 23.4 versions before 23.4R2-S7, * 24.2 versions before 24.2R2-S4, * 24.4 versions before 24.4R2.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

This vulnerability represents a critical memory management flaw within the packet forwarding engine of Juniper Networks Junos OS operating on EX Series devices. The issue manifests specifically in Virtual Chassis configurations involving EX4100 and EX4400 series hardware, where an unauthenticated attacker with physical access to the network infrastructure can trigger a persistent denial-of-service condition through carefully crafted multicast traffic patterns. The vulnerability stems from improper memory deallocation within the forwarding plane when sFlow monitoring is active, creating a scenario where allocated memory resources are not properly released after their effective lifetime has concluded.

The technical mechanism behind this vulnerability involves the packet forwarding engine's handling of multicast traffic flows that traverse between different members of a Virtual Chassis configuration. When sFlow is enabled on EX4100 or EX4400 devices within a Virtual Chassis setup, the system maintains references to memory buffers allocated for traffic processing across multiple forwarding processors. The flaw occurs when multicast packets are received on one VC member and forwarded out through another member, causing the system to continuously allocate new memory resources while failing to properly release the previously allocated buffers from the original forwarding processor.

The operational impact of this vulnerability is severe as it creates a progressive memory leak that ultimately results in Forwarding Processor Card (FPC) crashes and complete system restarts. Network administrators can monitor this issue through the show chassis fpc command which displays increasing buffer values indicative of the memory consumption growth. This condition effectively transforms a stable network infrastructure into an unreliable service that requires frequent manual intervention, potentially causing significant disruption to network operations and service availability.

Security implications extend beyond simple DoS conditions as this vulnerability provides an attacker with a persistent means of network disruption without requiring authentication credentials or sophisticated attack techniques. The requirement for physical adjacency limits the attack surface but does not eliminate the risk, particularly in environments where unauthorized physical access is possible. This vulnerability aligns with CWE-401: Improper Release of Memory and maps to ATT&CK technique T1499.004: Endpoint Denial of Service through memory exhaustion attacks that target system resources rather than application logic vulnerabilities.

Mitigation strategies should focus on immediate patch deployment for all affected Junos OS versions, specifically targeting releases 23.2R2-S7, 23.4R2-S7, 24.2R2-S4, and 24.4R2 or later. Network administrators should also consider disabling sFlow monitoring on affected Virtual Chassis configurations until patches are applied, though this may impact network visibility capabilities. Additionally, implementing proper network access controls to limit physical access to network infrastructure and monitoring buffer utilization patterns can help detect early signs of the memory leak before complete system failure occurs.

Responsible

Juniper

Reservation

06/23/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!