Platform
juniper
Component
juniper-junos
Fixed in
21.2R3-S10
21.4R3-S12
22.2R3-S8
22.4R3-S9
23.2R2-S6
23.4R2-S7
24.2R2-S3
24.4R2-S3
25.2R1-S2, 25.2R2
21.3*
22.1*
22.3*
CVE-2026-33790 describes a Denial of Service (DoS) vulnerability within the flow daemon (flowd) of Juniper Networks Junos OS, specifically impacting SRX Series devices. An attacker can trigger this vulnerability by sending a specially crafted, malformed ICMPv6 packet, causing the srxpfe process to crash and restart repeatedly. This results in a sustained DoS condition, disrupting network services.
The primary impact of CVE-2026-33790 is a denial of service. Successful exploitation leads to the repeated crashing and restarting of the srxpfe process, effectively rendering the affected SRX Series device unavailable. This can disrupt critical network traffic, impacting services reliant on the device for routing, security, or VPN connectivity. The vulnerability's reliance on ICMPv6 suggests potential targeting of IPv6-enabled networks and devices. While the description specifies NAT64 translation as a trigger, the broader impact extends to any SRX Series device receiving malformed ICMPv6 packets.
This CVE was publicly disclosed on 2026-04-09. There is no indication of active exploitation at this time, and it is not currently listed on CISA KEV. The vulnerability's reliance on a specific ICMPv6 malformation suggests a moderate barrier to exploitation, requiring some understanding of network protocols. Public proof-of-concept code is not currently available.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
CVSS Vector
Juniper Networks recommends upgrading to Junos OS versions 25.2R1-S2 or 25.2R2 to address this vulnerability. If immediate upgrade is not feasible, consider implementing temporary mitigations. Rate-limiting ICMPv6 traffic can reduce the frequency of malicious packets reaching the device. Network segmentation can isolate vulnerable SRX Series devices from potentially hostile networks. Monitoring srxpfe process health and resource utilization can provide early warning signs of exploitation. After upgrade, confirm functionality by sending a standard ICMPv6 ping and verifying successful response.
Update your Juniper SRX Series device to a Junos OS version that includes the fix, such as 21.2R3-S10, 21.4R3-S12, 22.2R3-S8, 22.4R3-S9, 23.2R2-S6, 23.4R2-S7, 24.2R2-S3, 24.4R2-S3, 25.2R1-S2 or 25.2R2. This update mitigates the vulnerability by correcting ICMPv6 packet validation, preventing the srxpfe process crash.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33790 is a high-severity denial-of-service vulnerability affecting Juniper Junos OS SRX Series devices. A malformed ICMPv6 packet can trigger a crash in the srxpfe process, leading to a sustained DoS.
If you are running Junos OS SRX Series versions 0.0.0–25.2R1-S2 or 25.2R2 and are exposed to IPv6 traffic, you are potentially affected by this vulnerability.
Upgrade to Junos OS versions 25.2R1-S2 or 25.2R2. As a temporary workaround, consider rate-limiting ICMPv6 traffic and segmenting your network.
There is currently no evidence of active exploitation of CVE-2026-33790.
Refer to the official Juniper Security Advisory for detailed information and mitigation steps: [https://www.juniper.net/us/en/support/security/advisories/CVE-2026-33790/]
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.