CVE-2026-21908

CWE-416Use After Free4 documents4 sources
Severity
7.5HIGH
EPSS
0.0%
top 98.97%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Juniper Networks Junos OSJuniper Networks Junos OS EvolvedJuniper Junos+1 more
Timeline
PublishedJan 15

Description

A Use After Free vulnerability was identified in the 802.1X authentication daemon (dot1xd) of Juniper Networks Junos OS and Junos OS Evolved that could allow an authenticated, network-adjacent attacker flapping a port to crash the dot1xd process, leading to a Denial of Service (DoS), or potentially execute arbitrary code within the context of the process running as root. The issue is specific to the processing of a change in authorization (CoA) when a port bounce occurs. A pointer is freed but

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:L

Affected Packages4 packages

CVEListV5juniper_networks/junos_os_evolved23.2R2-S123.2R2-S5-EVO+4
CVEListV5juniper_networks/junos_os23.2R2-S123.2R2-S5+4
NVDjuniper/junos_os_evolved5 versions+4
NVDjuniper/junos5 versions+4

🔴Vulnerability Details

2
CVEList
Junos OS and Junos OS Evolved: Use after free vulnerability In 802.1X authentication daemon can cause crash of the dot1xd process2026-01-15
GHSA
GHSA-h976-gqwv-338w: A Use After Free vulnerability was identified in the 8022026-01-15

📋Vendor Advisories

1
Juniper
CVE-2026-21908: A Use After Free vulnerability was identified in the 802.1X authentication daemon (dot1xd) of Juniper Networks Junos OS and Junos OS Evolved that coul2026-01-15
CVE-2026-21908 (HIGH CVSS 7.5) | A Use After Free vulnerability was | cvebase.io