CVE-2026-57029 in Junos OS Evolved
Summary
by MITRE • 07/10/2026
A Missing Synchronization vulnerability in the flow collector handler of Juniper Networks Junos OS Evolved on QFX Series allows an adjacent, unauthenticated attacker to cause a Denial-of-Service (DoS).
When the reachability of an sFlow collector changes, the corresponding next-hop entry is updated. If this update occurs simultaneously with the sFlow thread accessing the next-hop data (which is outside the attackers control), it causes the evo-pfemand process to crash, impacting all traffic forwarding until the automatic process restart has completed.
This issue affects Junos OS Evolved on QFX Series:
* all 23.2 versions, * 23.4 versions before 23.4R2-S7-EVO, * 24.2 versions before 24.2R2-S5-EVO, * 24.4 versions before 24.4R2-S3-EVO, * 25.2 versions before 25.2R2-EVO.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/10/2026
This vulnerability represents a critical missing synchronization issue within the flow collector handler of Juniper Networks Junos OS Evolved running on QFX Series devices. The flaw manifests when network reachability changes for sFlow collectors, creating a race condition between the next-hop update process and the sFlow thread accessing that data. This type of vulnerability falls under CWE-362, which specifically addresses race conditions that can lead to system instability and denial-of-service conditions. The issue is particularly concerning because it requires no authentication from the attacker, making it accessible to any adjacent network entity with basic network connectivity.
The technical implementation of this vulnerability exploits a fundamental concurrency problem in how the evo-pfemand process manages sFlow collector information. When an sFlow collector's reachability status changes, the system updates the next-hop entry while simultaneously allowing the sFlow thread to access that same data structure. This simultaneous access without proper synchronization mechanisms causes memory corruption or invalid pointer references within the evo-pfemand process, resulting in immediate process termination. The underlying architecture fails to implement proper locking mechanisms or atomic operations to prevent this concurrent access pattern, creating a classic race condition scenario.
From an operational impact perspective, this vulnerability presents a severe threat to network availability and stability. The crash of the evo-pfemand process affects all traffic forwarding capabilities on the affected device, effectively creating a complete denial-of-service condition for the entire QFX Series platform. Network administrators face the challenge of unpredictable downtime that can occur at any time when sFlow collector reachability changes, which might happen during normal network operations such as routing updates, link failures, or scheduled maintenance activities. The automatic restart process adds additional complexity as it may take several minutes to complete, during which the device provides no forwarding services.
The vulnerability affects multiple software versions across different release branches, indicating this is a persistent issue that has not been adequately addressed in recent releases. Specifically, all 23.2 versions, 23.4 versions before 23.4R2-S7-EVO, 24.2 versions before 24.2R2-S5-EVO, 24.4 versions before 24.4R2-S3-EVO, and 25.2 versions before 25.2R2-EVO are vulnerable to this attack vector. This widespread impact suggests the root cause exists in core architectural components rather than being isolated to specific patches or features. Organizations should consider implementing network segmentation strategies to limit adjacent network access and reduce attack surface exposure while awaiting official patches.
Mitigation strategies should include immediate implementation of network access controls to restrict adjacency to critical network infrastructure, particularly for devices running vulnerable versions of Junos OS Evolved. Network administrators should monitor sFlow collector reachability changes and implement automated alerting systems to detect potential triggering conditions. The most effective long-term solution involves applying the appropriate software patches released by Juniper Networks that address the synchronization issues in the sFlow handler component. Organizations may also consider disabling sFlow functionality temporarily on affected devices until proper patches can be deployed, though this reduces network visibility capabilities and should be viewed as a temporary workaround rather than a permanent solution.
This vulnerability aligns with ATT&CK technique T1498 which involves denial-of-service attacks that target system availability. The attack pattern demonstrates how seemingly minor concurrency issues in network infrastructure software can result in catastrophic operational impacts, highlighting the importance of robust synchronization mechanisms in critical network components. Network security teams should also consider implementing process monitoring and alerting for the evo-pfemand service to detect early signs of instability that may precede complete crashes, enabling proactive response rather than reactive remediation.