CVE-2025-21600

Summary

An Out-of-Bounds Read vulnerability in

the routing protocol daemon (rpd) of

Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, logically adjacent BGP peer sending a specifically malformed BGP packet to cause rpd to crash and restart, resulting in a Denial of Service (DoS). Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition.

This issue only affects systems configured in either of two ways:

    *  systems with BGP traceoptions enabled

    *  systems with BGP family traffic-engineering (BGP-LS)
      configured

and can be exploited from a directly connected and configured BGP peer. 

This issue affects iBGP and eBGP

with

any address family

configured, and both IPv4 and IPv6 are affected by this vulnerability.

This issue affects:

Junos OS: 

from 21.4 before 21.4R3-S9, 

  • from 22.2 before 22.2R3-S5, 
  • from 22.3 before 22.3R3-S4, 
  • from 22.4 before 22.4R3-S5, 
  • from 23.2 before 23.2R2-S3, 
  • from 23.4 before 23.4R2-S3, 
  • from 24.2 before 24.2R1-S2, 24.2R2; 

Junos OS Evolved: 

  • from 21.4-EVO before 21.4R3-S9-EVO, 
  • from 22.2-EVO before 22.2R3-S5-EVO, 
  • from 22.3-EVO before 22.3R3-S4-EVO, 
  • from 22.4-EVO before 22.4R3-S5-EVO, 
  • from 23.2-EVO before 23.2R2-S3-EVO, 
  • from 23.4-EVO before 23.4R2-S2-EVO, 
  • from 24.2-EVO before 24.2R1-S2-EVO, 24.2R2-EVO.

This issue does not affect versions of Junos OS prior to 21.3R1.

This issue does not affect versions of Junos OS Evolved prior to 21.3R1-EVO.

This is a similar, but different vulnerability than the issue reported as CVE-2024-39516.

Affected Software

VendorProductVersion RangeStatus
Juniper NetworksJunos OS21.4 < 21.4R3-S9affected
Juniper NetworksJunos OS22.2 < 22.2R3-S5affected
Juniper NetworksJunos OS22.3 < 22.3R3-S4affected
Juniper NetworksJunos OS22.4 < 22.4R3-S5affected
Juniper NetworksJunos OS23.2 < 23.2R2-S3affected
Juniper NetworksJunos OS23.4 < 23.4R2-S3affected
Juniper NetworksJunos OS24.2 < 24.2R1-S2, 24.2R2affected
Juniper NetworksJunos OS0 < 21.3R1unaffected
Juniper NetworksJunos OS Evolved21.4-EVO < 21.4R3-S9-EVOaffected
Juniper NetworksJunos OS Evolved22.2-EVO < 22.2R3-S5-EVOaffected
Juniper NetworksJunos OS Evolved22.3-EVO < 22.3R3-S4-EVOaffected
Juniper NetworksJunos OS Evolved22.4-EVO < 22.4R3-S5-EVOaffected
Juniper NetworksJunos OS Evolved23.2-EVO < 23.2R2-S3-EVOaffected
Juniper NetworksJunos OS Evolved23.4-EVO < 23.4R2-S2-EVOaffected
Juniper NetworksJunos OS Evolved24.2-EVO < 24.2R1-S2-EVO, 24.2R2-EVOaffected
Juniper NetworksJunos OS Evolved0 < 21.3R1-EVOunaffected

Weaknesses

  • CWE-125: CWE-125 Out-of-bounds Read

Workarounds

If BGP traceoptions are enabled, and traffic engineering is not configured, disable BGP traceoptions if they are not being used for active troubleshooting.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References