CVE-2025-30647

Summary

A Missing Release of Memory after Effective Lifetime vulnerability in the packet forwarding engine (PFE) of Juniper Networks Junos OS on MX Series allows an unauthenticated adjacent attacker to cause a Denial-of-Service (DoS).

In a subscriber management scenario, login/logout activity triggers a memory leak, and the leaked memory gradually increments and eventually results in a crash.                 user@host> show chassis fpc                                        Temp    CPU Utilization (%)   CPU Utilization (%)   Memory     Utilization (%)                       Slot State       (C)     Total   Interrupt     1min   5min  15min    DRAM (MB)  Heap   Buffer

                      2 Online         36       10         0          9     8     9        32768      26         0                                                                                                      

This issue affects Junos OS on MX Series:

  • All versions before 21.2R3-S9
  • from 21.4 before 21.4R3-S10
  • from 22.2 before 22.2R3-S6
  • from 22.4 before 22.4R3-S5
  • from 23.2 before 23.2R2-S3
  • from 23.4 before 23.4R2-S3
  • from 24.2 before 24.2R2.

Affected Software

VendorProductVersion RangeStatus
Juniper NetworksJunos OS0 < 21.2R3-S9affected
Juniper NetworksJunos OS21.4 < 21.4R3-S10affected
Juniper NetworksJunos OS22.2 < 22.2R3-S6affected
Juniper NetworksJunos OS22.4 < 22.4R3-S5affected
Juniper NetworksJunos OS23.2 < 23.2R2-S3affected
Juniper NetworksJunos OS23.4 < 23.4R2-S3affected
Juniper NetworksJunos OS24.2 < 24.2R2affected

Weaknesses

  • CWE-401: CWE-401 Missing Release of Memory after Effective Lifetime

Workarounds

There are no known workarounds for this issue.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References