CVE-2024-39549 — Missing Release of Memory after Effective Lifetime in Networks Junos OS

CWE-401 — Missing Release of Memory after Effective Lifetime CWE-415 — Double Free5 documents4 sources

Severity

8.7HIGHNVD

EPSS

0.3%

top 47.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Juniper Networks Junos OS Juniper Networks Junos OS Evolved Juniper Junos +1 more

Timeline

PublishedJul 11

Latest updateFeb 5

Description

A Missing Release of Memory after Effective Lifetime vulnerability in the routing process daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an attacker to send a malformed BGP Path attribute update which allocates memory used to log the bad path attribute. This memory is not properly freed in all circumstances, leading to a Denial of Service (DoS). Consumed memory can be freed by manually restarting Routing Protocol Daemon (rpd). Memory utilization could be monitored by: us…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L

Affected Packages4 packages

▶CVEListV5juniper_networks/junos_os_evolved21.4 — 21.4R3-S8-EVO+10

▶NVDjuniper/junos_os_evolved21.1+8

▶CVEListV5juniper_networks/junos_os21.4 — 21.4R3-S8+13

▶NVDjuniper/junos21.1+8

🔴Vulnerability Details

CVEList

Junos OS and Junos OS Evolved: Receipt of malformed BGP path attributes leads to a memory leak↗2024-07-11

▶

GHSA

GHSA-hw78-gpfh-vw3q: A Missing Release of Memory after Effective Lifetime vulnerability in the routing process daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolv↗2024-07-11

▶

📋Vendor Advisories

Juniper

CVE-2024-39564: This is a similar, but different vulnerability than the issue reported as CVE-2024-39549. A double-free vulnerability in the routing process daemon (↗2025-02-05

▶

Juniper

CVE-2024-39549: A Missing Release of Memory after Effective Lifetime vulnerability in the routing process daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolv↗2024-07-11

▶