CVE-2025-30646

A Signed to Unsigned Conversion Error vulnerability in the Layer 2 Control Protocol daemon (l2cpd) of Juniper Networks Junos OS and Juniper Networks Junos OS Evolved allows an unauthenticated adjacent attacker sending a specifically malformed LLDP TLV to cause the l2cpd process to crash and restart, causing a Denial of Service (DoS).  Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition.

When an LLDP telemetry subscription is active, receipt of a specifically malformed LLDP TLV causes the l2cpd process to crash and restart.

This issue affects:

Junos OS:

• All versions before 21.2R3-S9, 
• from 21.4 before 21.4R3-S10, 
• from 22.2 before 22.2R3-S6, 
• from 22.4 before 22.4R3-S6, 
• from 23.2 before 23.2R2-S3, 
• from 23.4 before 23.4R2-S4, 
• from 24.2 before 24.2R2; 

Junos OS Evolved: 

• All versions before 21.4R3-S10-EVO,
• from 22.2-EVO before 22.2R3-S6-EVO, 
• from 22.4-EVO before 22.4R3-S6-EVO, 
• from 23.2-EVO before 23.2R2-S3-EVO, 
• from 23.4-EVO before 23.4R2-S4-EVO, 
• from 24.2-EVO before 24.2R2-EVO.

Weakness

The product uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive can not be represented using an unsigned primitive.

Extended Description

It is dangerous to rely on implicit casts between signed and unsigned numbers because the result can take on an unexpected value and violate assumptions made by the program. Often, functions will return negative values to indicate a failure. When the result of a function is to be used as a size parameter, using these negative return values can have unexpected results. For example, if negative size values are passed to the standard memory copy or allocation functions they will be implicitly cast to a large unsigned value. This may lead to an exploitable buffer overflow or underflow condition.

References

• https://supportportal.juniper.net/JSA96456