CVE-2026-33780

CWE-401Memory Leak4 documents4 sources
Severity
7.1HIGH
EPSS
0.0%
top 96.20%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Juniper Networks Junos OSJuniper Networks Junos OS Evolved
Timeline
PublishedApr 9
Latest updateApr 10

Description

A Missing Release of Memory after Effective Lifetime vulnerability in the Layer 2 Address Learning Daemon (l2ald) of Juniper Networks Junos OS and Junos OS Evolved allows an adjacent, unauthenticated attacker to cause a memory leak ultimately leading to a Denial of Service (DoS). In an EVPN-MPLS scenario, routes learned from remote multi-homed Provider Edge (PE) devices are programmed as ESI routes. Due to a logic issue in the l2ald memory management, memory allocated for these routes is not r

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L

Affected Packages2 packages

CVEListV5juniper_networks/junos_os_evolvedall version prior to22.4R3-S5-EVO+3
CVEListV5juniper_networks/junos_os23.223.2R2-S3+3

🔴Vulnerability Details

3
VulDB
Juniper Junos OS/Junos OS Evolved prior 22.4R3-S5/23.2R2-S3/23.4R2-S4/24.2R2 Layer 2 Address Learning Daemon memory leak (JSA107819)2026-04-10
GHSA
GHSA-wcmx-9w9j-q7ph: A Missing Release of Memory after Effective Lifetime vulnerability in the Layer 2 Address Learning Daemon (l2ald) of Juniper Networks Junos OS and Jun2026-04-10
CVEList
Junos OS and Junos OS Evolved: In an EVPN-MPLS scenario churn of ESI routes causes a memory leak in l2ald2026-04-09
CVE-2026-33780 (HIGH CVSS 7.1) | A Missing Release of Memory after E | cvebase.io