What is the severity of CVE-2026-21909?

CVE-2026-21909 has a CVSS v3 score of 6.5, which is classified as Medium severity.

Is there an exploit available for CVE-2026-21909?

No known public exploits are currently available for CVE-2026-21909.

Is there a patch available for CVE-2026-21909?

Yes, patches are available for CVE-2026-21909. Check the vendor advisories for update instructions.

CVE-2026-21909 - CVE Details, Severity, and Analysis

Published: January 28, 2026

Last updated:1 day ago (January 28, 2026)

Updated January 28, 2026

no major risk factors

A Missing Release of Memory after Effective Lifetime vulnerability in the routing protocol daemon (rpd) Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated attacker controlling an adjacent IS-IS neighbor to send a specific update packet causing a memory leak. Continued receipt and processing of these packets will exhaust all available memory, crashing rpd and creating a Denial of Service (DoS) condition.

Memory usage can be monitored through the use of the 'show task memory detail' command. For example:

user@junos> show task memory detail | match ted-infra TED-INFRA-COOKIE 25 1072 28 1184 229

user@junos>

show task memory detail | match ted-infra TED-INFRA-COOKIE 31 1360 34 1472 307

This issue affects:

Junos OS:

from 23.2 before 23.2R2,
from 23.4 before 23.4R1-S2, 23.4R2,
from 24.1 before 24.1R2;

Junos OS Evolved:

from 23.2 before 23.2R2-EVO,
from 23.4 before 23.4R1-S2-EVO, 23.4R2-EVO,
from 24.1 before 24.1R2-EVO.

This issue does not affect Junos OS versions before 23.2R1 or Junos OS Evolved versions before 23.2R1-EVO.

Strobes VI. (2026). CVE-2026-21909 - CVE Details and Analysis. Strobes VI. Retrieved January 29, 2026, from https://vi.strobes.co/cve/CVE-2026-21909

Vendor	Product
Juniper	Junos
Juniper

NVD: A Missing Release of Memory after Effective Lifetime vulnerability in the routing protocol daemon (rpd) Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated attacker controlling an adjacent IS-IS neighbor to send a specific update packet causing a memory leak. Continued receipt and processing of these packets will exhaust all available memory, crashing rpd and creating a Denial of Service (DoS) condition. Memory usage can be monitored through the use of the 'show task memory detail' command. For example: user@junos> show task memory detail | match ted-infra TED-INFRA-COOKIE 25 1072 28 1184 229 user@junos> show task memory detail | match ted-infra TED-INFRA-COOKIE 31 1360 34 1472 307 This issue affects: Junos OS: * from 23.2 before 23.2R2, * from 23.4 before 23.4R1-S2, 23.4R2, * from 24.1 before 24.1R2; Junos OS Evolved: * from 23.2 before 23.2R2-EVO, * from 23.4 before 23.4R1-S2-EVO, 23.4R2-EVO, * from 24.1 before 24.1R2-EVO. This issue does not affect Junos OS versions before 23.2R1 or Junos OS Evolved versions before 23.2R1-EVO.