Junos OS Evolved: PTX Series: Receipt of repeated ECMP routing updates results in PFE crash
Summary
| CVE | CVE-2026-33794 |
|---|---|
| State | PUBLISHED |
| Assigner | juniper |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-09 21:16:54 UTC |
| Updated | 2026-07-10 17:49:57 UTC |
| Description | An Improper Check for Unusual or Exceptional Conditions vulnerability in the advanced forwarding toolkit (evo-aftmand) of Juniper Networks Junos OS Evolved on PTX Series allows an unauthenticated network-based attacker generating continuous routing updates, resulting in unilist ECMP routes, to crash the evo-aftmand process on the PFE, leading to a Denial-of-Service (DoS). The conditions required for successful exploitation are based on a sequence of events that are outside an attacker's direct control. Unified list (unilist) ECMP routes are a specific ECMP behavior where multiple equal-cost routes share a single logical next-hop list entry. The router treats them as one route with multiple next hops and load balances traffic across that unified list. Due to an issue processing unilist ECMP routing updates, internal state corruption may occur, especially in large-scale ECMP unilist deployments, leading to the evo-aftmand process crashing, resulting in an evo-aftmand-bx core. Manual intervention is required to recover by rebooting the system or restarting the FPC. This issue affects Junos OS Evolved on PTX : * from 24.4R2-EVO before 24.4R2-S3-EVO; * from 25.2 before 25.2R2-EVO. |
Risk And Classification
Primary CVSS: v4.0 8.2 HIGH from [email protected]
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:M/U:Green
EPSS: 0.004050000 probability, percentile 0.326490000 (date 2026-07-11)
Problem Types: CWE-754 | CWE-754 CWE-754 Improper Check for Unusual or Exceptional Conditions
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 8.2 | HIGH | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/C... |
| 4.0 | CNA | CVSS | 8.2 | HIGH | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/AU:Y/... |
| 3.1 | [email protected] | Secondary | 5.9 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | CNA | CVSS | 5.9 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVSS v4.0 Breakdown
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:M/U:Green
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Juniper Networks | Junos OS Evolved | affected 24.4R2-EVO 24.4R2-S3-EVO custom | PTX Series |
| CNA | Juniper Networks | Junos OS Evolved | affected 25.2 25.2R2, 25.2R2-EVO custom | PTX Series |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| supportportal.juniper.net/JSA110073 | [email protected] | supportportal.juniper.net | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
Solutions
CNA: The following software releases have been updated to resolve this specific issue: Junos OS Evolved: 24.4R2-S3-EVO, 25.2R2-EVO, 25.4R1-EVO, and all subsequent releases.
Workarounds
CNA: There are no known workarounds for this issue.
Exploits
CNA: Juniper SIRT is not aware of any malicious exploitation of this vulnerability.