CVE-2026-21913

An Incorrect Initialization of Resource vulnerability in the Internal Device Manager (IDM) of Juniper Networks Junos OS on EX4000 models allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).

On EX4000 models with 48 ports (EX4000-48T, EX4000-48P, EX4000-48MP) a high volume of traffic destined to the device will cause an FXPC crash and restart, which leads to a complete service outage until the device has automatically restarted.

The following reboot reason can be seen in the output of show chassis routing-engine and as a log message:

  reason=0x4000002 reason_string=0x4000002:watchdog + panic with core dump

This issue affects Junos OS on EX4000-48T, EX4000-48P and EX4000-48MP:

• 24.4 versions before 24.4R2,
• 25.2 versions before 25.2R1-S2, 25.2R2.

This issue does not affect versions before 24.4R1 as the first Junos OS version for the EX4000 models was 24.4R1.

Weakness

The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

Affected Software

Potential Mitigations

• Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
• For example, in Java, if the programmer does not explicitly initialize a variable, then the code could produce a compile-time error (if the variable is local) or automatically initialize the variable to the default value for the variable’s type. In Perl, if explicit initialization is not performed, then a default value of undef is assigned, which is interpreted as 0, false, or an equivalent value depending on the context in which the variable is accessed.

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/26.html
• https://cwe.mitre.org/data/definitions/29.html

References

• https://kb.juniper.net/JSA106014
• https://supportportal.juniper.net/JSA106014