CVE-2025-52986

Summary

A Missing Release of Memory after Effective Lifetime vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low privileged user to cause an impact to the availability of the device.

When RIB sharding is enabled and a user executes one of several routing related 'show' commands, a certain amount of memory is leaked. When all available memory has been consumed rpd will crash and restart.

The leak can be monitored with the CLI command:

show task memory detail | match task_shard_mgmt_cookie

where the allocated memory in bytes can be seen to continuously increase with each exploitation.

This issue affects:

Junos OS:

  • all versions before 21.2R3-S9,
  • 21.4 versions before 21.4R3-S11,
  • 22.2 versions before 22.2R3-S7,
  • 22.4 versions before 22.4R3-S7,
  • 23.2 versions before 23.2R2-S4, 
  • 23.4 versions before 23.4R2-S4,
  • 24.2 versions before 24.2R2,
  • 24.4 versions before 24.4R1-S2, 24.4R2;

Junos OS Evolved:

  • all versions before 22.2R3-S7-EVO
  • 22.4-EVO versions before 22.4R3-S7-EVO,
  • 23.2-EVO versions before 23.2R2-S4-EVO,
  • 23.4-EVO versions before 23.4R2-S4-EVO,
  • 24.2-EVO versions before 24.2R2-EVO, 
  • 24.4-EVO versions before 24.4R2-EVO.

Affected Software

VendorProductVersion RangeStatus
Juniper NetworksJunos OS0 < 21.2R3-S9affected
Juniper NetworksJunos OS21.4 < 21.4R3-S11affected
Juniper NetworksJunos OS22.2 < 22.2R3-S7affected
Juniper NetworksJunos OS22.4 < 22.4R3-S7affected
Juniper NetworksJunos OS23.2 < 23.2R2-S4affected
Juniper NetworksJunos OS23.4 < 23.4R2-S4affected
Juniper NetworksJunos OS24.2 < 24.2R2affected
Juniper NetworksJunos OS24.4 < 24.4R1-S2, 24.4R2affected
Juniper NetworksJunos OS Evolved0 < 22.2R3-S7-EVOaffected
Juniper NetworksJunos OS Evolved22.4-EVO < 22.4R3-S7-EVOaffected
Juniper NetworksJunos OS Evolved23.2-EVO < 23.2R2-S4-EVOaffected
Juniper NetworksJunos OS Evolved23.4-EVO < 23.4R2-S4-EVOaffected
Juniper NetworksJunos OS Evolved24.2-EVO < 24.2R2-EVOaffected
Juniper NetworksJunos OS Evolved24.4-EVO < 24.4R2-EVOaffected

Weaknesses

  • CWE-401: CWE-401 Missing Release of Memory after Effective Lifetime

Workarounds

Use access lists or firewall filters to limit access to the CLI only from trusted hosts and administrators.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References