π¨ CVE-2026-15276
A flaw has been found in pdeljanov Symphonia up to 0.6.0. This vulnerability affects unknown code of the component Metadata Handler. This manipulation causes denial of service. The attack needs to be launched locally. The exploit has been published and may be used. The pull request to fix this issue awaits acceptance.
π@cveNotify
A flaw has been found in pdeljanov Symphonia up to 0.6.0. This vulnerability affects unknown code of the component Metadata Handler. This manipulation causes denial of service. The attack needs to be launched locally. The exploit has been published and may be used. The pull request to fix this issue awaits acceptance.
π@cveNotify
GitHub
GitHub - pdeljanov/Symphonia: Pure Rust multimedia format demuxing, tag reading, and audio decoding library
Pure Rust multimedia format demuxing, tag reading, and audio decoding library - pdeljanov/Symphonia
π¨ CVE-2026-33802
A Missing Authorization vulnerability in the CLI of Juniper Networks Junos OS on EX Series allows a local, authenticated attacker to cause a Denial-of-Service (DoS).
On EX2300, EX4000, EX4100, EX4300-MP (Multigigabit) and EX4400 switches, an authenticated, local attacker with no specific permissions or class can execute a specific, privileged CLI 'request' command which will cause complete traffic impact until the system automatically recovers.
This issue affects Junos OS on EX2300, EX4000, EX4100, EX4300-MP (Multigigabit) and EX4400:
* 23.2R2 versions before 23.2R2-S6,
* 23.4 versions before 23.4R2-S8,
* 24.2 versions before 24.2R2-S4,
* 24.4 versions before 24.4R2-S3,
* 25.2 versions before 25.2R2,
* 25.4 versions before 25.4R1-S1.
π@cveNotify
A Missing Authorization vulnerability in the CLI of Juniper Networks Junos OS on EX Series allows a local, authenticated attacker to cause a Denial-of-Service (DoS).
On EX2300, EX4000, EX4100, EX4300-MP (Multigigabit) and EX4400 switches, an authenticated, local attacker with no specific permissions or class can execute a specific, privileged CLI 'request' command which will cause complete traffic impact until the system automatically recovers.
This issue affects Junos OS on EX2300, EX4000, EX4100, EX4300-MP (Multigigabit) and EX4400:
* 23.2R2 versions before 23.2R2-S6,
* 23.4 versions before 23.4R2-S8,
* 24.2 versions before 24.2R2-S4,
* 24.4 versions before 24.4R2-S3,
* 25.2 versions before 25.2R2,
* 25.4 versions before 25.4R1-S1.
π@cveNotify
π¨ CVE-2026-33803
An Improper Restriction of Communication Channel to Intended Endpoints vulnerability in Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to cause a limited information disclosure and availability impact to the device.
Due to a wrong initialization, a process which should only be able to communicate internally within the device can be reached over the network via an open port. This leads to a device being inadvertently exposed and increased CPU cycles spent processing ingress packets.
This issue affects Junos OS Evolved:
* all versions before 23.2R2-S7-EVO,
* 23.4 versions before 23.4R2-S8-EVO,
* 24.2 versions before 24.2R2-S5-EVO,
* 24.4 versions before 24.4R2-S4-EVO,
* 25.2 versions before 25.2R2-S1-EVO,
* 25.4 versions before 25.4R1-S2-EVO.
π@cveNotify
An Improper Restriction of Communication Channel to Intended Endpoints vulnerability in Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to cause a limited information disclosure and availability impact to the device.
Due to a wrong initialization, a process which should only be able to communicate internally within the device can be reached over the network via an open port. This leads to a device being inadvertently exposed and increased CPU cycles spent processing ingress packets.
This issue affects Junos OS Evolved:
* all versions before 23.2R2-S7-EVO,
* 23.4 versions before 23.4R2-S8-EVO,
* 24.2 versions before 24.2R2-S5-EVO,
* 24.4 versions before 24.4R2-S4-EVO,
* 25.2 versions before 25.2R2-S1-EVO,
* 25.4 versions before 25.4R1-S2-EVO.
π@cveNotify
π¨ CVE-2026-38076
An integer overflow in the jbig2_arith_iaid_ctx_new() function of Artifex commit cc37d0 allows attackers to cause a Denial of Service (DoS) via a crafted input.
π@cveNotify
An integer overflow in the jbig2_arith_iaid_ctx_new() function of Artifex commit cc37d0 allows attackers to cause a Denial of Service (DoS) via a crafted input.
π@cveNotify
Artifex
Artifex | Open Source Power, Enterprise Performance
Artifex Software builds open-source and commercially licensed document processing technology β including Ghostscript, MuPDF, PyMuPDF, and PyMuPDF4LLM β used in over 1 billion deployments worldwide. Pioneered the open-source business model since 1989.
π¨ CVE-2026-39243
decompress before 4.2.2 allows arbitrary hardlink creation during archive extraction, enabling file read disclosure and file corruption. When processing hardlink entries (type === 'link'), the x.linkname field from the archive is passed directly to fs.link() without validation (index.js line 113). An attacker can craft an archive with a hardlink entry whose linkname is an absolute path to any file on the same filesystem. This creates a hardlink inside the extraction directory that shares the same inode as the target file, enabling both reading and overwriting the original file's content. Hardlinks are limited to files on the same filesystem and cannot target directories.
π@cveNotify
decompress before 4.2.2 allows arbitrary hardlink creation during archive extraction, enabling file read disclosure and file corruption. When processing hardlink entries (type === 'link'), the x.linkname field from the archive is passed directly to fs.link() without validation (index.js line 113). An attacker can craft an archive with a hardlink entry whose linkname is an absolute path to any file on the same filesystem. This creates a hardlink inside the extraction directory that shares the same inode as the target file, enabling both reading and overwriting the original file's content. Hardlinks are limited to files on the same filesystem and cannot target directories.
π@cveNotify
GitHub
GitHub - kevva/decompress: Extracting archives made easy
Extracting archives made easy. Contribute to kevva/decompress development by creating an account on GitHub.
π¨ CVE-2026-39245
decompress before 4.2.2 contains an improper path containment check that enables directory traversal and arbitrary file write. The safeMakeDir function (index.js line 29) and the extraction path validation (index.js line 106) use String.indexOf() to verify the resolved path is within the output directory: realDestinationDir.indexOf(realOutputPath) !== 0. This check is flawed because it does not enforce a path separator boundary. For example, "/tmp/app_config".indexOf("/tmp/app") returns 0, incorrectly passing the check even though /tmp/app_config is outside /tmp/app. Combined with the unvalidated symlink creation in the same package, an attacker can write arbitrary files to directories adjacent to the extraction target. This is a bypass of the fix for CVE-2020-12265. The correct check requires appending a path separator: realParentPath.indexOf(realOutputPath + path.sep) !== 0.
π@cveNotify
decompress before 4.2.2 contains an improper path containment check that enables directory traversal and arbitrary file write. The safeMakeDir function (index.js line 29) and the extraction path validation (index.js line 106) use String.indexOf() to verify the resolved path is within the output directory: realDestinationDir.indexOf(realOutputPath) !== 0. This check is flawed because it does not enforce a path separator boundary. For example, "/tmp/app_config".indexOf("/tmp/app") returns 0, incorrectly passing the check even though /tmp/app_config is outside /tmp/app. Combined with the unvalidated symlink creation in the same package, an attacker can write arbitrary files to directories adjacent to the extraction target. This is a bypass of the fix for CVE-2020-12265. The correct check requires appending a path separator: realParentPath.indexOf(realOutputPath + path.sep) !== 0.
π@cveNotify
GitHub
GitHub - kevva/decompress: Extracting archives made easy
Extracting archives made easy. Contribute to kevva/decompress development by creating an account on GitHub.
π¨ CVE-2026-39246
decompress before 4.2.2 allows arbitrary symlink creation during archive extraction. When processing symlink entries (type === 'symlink'), the x.linkname field from the archive is passed directly to fs.symlink() without validation (index.js line 121). The preventWritingThroughSymlink check on line 98 only applies to file entries, not symlink creation. An attacker can craft an archive with symlink entries pointing to sensitive files outside the extraction directory (e.g., /etc/passwd), enabling information disclosure when the application reads the extracted contents.
π@cveNotify
decompress before 4.2.2 allows arbitrary symlink creation during archive extraction. When processing symlink entries (type === 'symlink'), the x.linkname field from the archive is passed directly to fs.symlink() without validation (index.js line 121). The preventWritingThroughSymlink check on line 98 only applies to file entries, not symlink creation. An attacker can craft an archive with symlink entries pointing to sensitive files outside the extraction directory (e.g., /etc/passwd), enabling information disclosure when the application reads the extracted contents.
π@cveNotify
GitHub
GitHub - kevva/decompress: Extracting archives made easy
Extracting archives made easy. Contribute to kevva/decompress development by creating an account on GitHub.
π¨ CVE-2026-44787
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, the signup flow could allow newly registered users to set primary_group_id and gain whisper-group privileges without legitimate group membership on sites with whispers_allowed_groups configured. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
π@cveNotify
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, the signup flow could allow newly registered users to set primary_group_id and gain whisper-group privileges without legitimate group membership on sites with whispers_allowed_groups configured. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
π@cveNotify
GitHub
SECURITY: Signup-time primary_group_id assignment grants whisperer ac⦠· discourse/discourse@012796a
β¦cess [backport 2026.5]
Backport of #698 to release/2026.5.
---
## Summary
Applies security patch from triage.
## Security advisory
https://github.com/discourse/discourse/security/advisories/...
Backport of #698 to release/2026.5.
---
## Summary
Applies security patch from triage.
## Security advisory
https://github.com/discourse/discourse/security/advisories/...
π¨ CVE-2026-45780
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, EventSerializer could expose invited group names, sample invitees, and attendance statistics to users who could view the topic but were not entitled to view the private event invitee list. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
π@cveNotify
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, EventSerializer could expose invited group names, sample invitees, and attendance statistics to users who could view the topic but were not entitled to view the private event invitee list. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
π@cveNotify
GitHub
SECURITY: Gate private event invitee details [backport 2026.1] Β· discourse/discourse@3796950
Backport of #709 to release/2026.1.
---
## Summary
Fixes a private-event information disclosure in private event Invitee serialization.
## Security advisory
https://github.com/discourse/discou...
---
## Summary
Fixes a private-event information disclosure in private event Invitee serialization.
## Security advisory
https://github.com/discourse/discou...
π¨ CVE-2026-45788
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, secure uploads could be exposed by pull_hotlinked_images when an attacker knew the secured upload URL and the secure_uploads site setting was enabled. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
π@cveNotify
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, secure uploads could be exposed by pull_hotlinked_images when an attacker knew the secured upload URL and the secure_uploads site setting was enabled. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
π@cveNotify
GitHub
SECURITY: Authorize secure-upload hotlink downloads against post user⦠· discourse/discourse@5807c42
β¦ [backport 2026.4]
Backport of #705 to release/2026.4.
---
Advisory: https://github.com/discourse/discourse/security/advisories/GHSA-3876-w96v-8v38
When a post embeds an `<img>` ...
Backport of #705 to release/2026.4.
---
Advisory: https://github.com/discourse/discourse/security/advisories/GHSA-3876-w96v-8v38
When a post embeds an `<img>` ...
π¨ CVE-2026-46413
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, regular users could route direct S3 multipart uploads through ExternalUploadManager into the admin backup store. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
π@cveNotify
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, regular users could route direct S3 multipart uploads through ExternalUploadManager into the admin backup store. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
π@cveNotify
GitHub
SECURITY: Regular users can route multipart uploads into the admin ba⦠· discourse/discourse@1f1ded8
β¦ckup store
## Summary
Applies security patch from triage.
## Security advisory
https://github.com/discourse/discourse/security/advisories/GHSA-3mvf-q9rg-w6m7
## Source
- Patch Triage: https:...
## Summary
Applies security patch from triage.
## Security advisory
https://github.com/discourse/discourse/security/advisories/GHSA-3mvf-q9rg-w6m7
## Source
- Patch Triage: https:...
π¨ CVE-2026-49256
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, restricted tag and tag-group names attached to publicly readable categories as allowed_tags, allowed_tag_groups, or required tag groups could leak to anonymous and unauthorized users through category and group endpoints. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
π@cveNotify
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, restricted tag and tag-group names attached to publicly readable categories as allowed_tags, allowed_tag_groups, or required tag groups could leak to anonymous and unauthorized users through category and group endpoints. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
π@cveNotify
GitHub
Release v2026.1.5 Β· discourse/discourse
version 2026.1.5
π¨ CVE-2026-53961
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, the AWS SES bounce webhook at POST /webhooks/aws verified that SNS messages were signed by Amazon but did not bind them to trusted TopicArn values, allowing any AWS account holder to publish validly signed forged Bounce notifications that revoke a targeted user email. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
π@cveNotify
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, the AWS SES bounce webhook at POST /webhooks/aws verified that SNS messages were signed by Amazon but did not bind them to trusted TopicArn values, allowing any AWS account holder to publish validly signed forged Bounce notifications that revoke a targeted user email. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
π@cveNotify
GitHub
SECURITY: Prevent any signed AWS SNS TopicARN from being accepted via⦠· discourse/discourse@3a3d315
β¦ webhooks [backport 2026.1]
Manual backport of #732 to 2026.1. Conflict in server.en.yml (no qq_mail_smtp line on this branch) resolved.
GHSA-8f9m-v436-wr3x
---
Any AWS account holder can sub...
Manual backport of #732 to 2026.1. Conflict in server.en.yml (no qq_mail_smtp line on this branch) resolved.
GHSA-8f9m-v436-wr3x
---
Any AWS account holder can sub...
π¨ CVE-2026-53962
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, insufficient SVG sanitization in upload and user avatar handling could lead to cross-site scripting when a user visited specific URLs that are not normally part of community browsing. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
π@cveNotify
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, insufficient SVG sanitization in upload and user avatar handling could lead to cross-site scripting when a user visited specific URLs that are not normally part of community browsing. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
π@cveNotify
GitHub
SECURITY: Improve SVG sanitization [backport 2026.1] Β· discourse/discourse@3ee8343
Backport of #758 to release/2026.1.
---
## Summary
Correctly strip internal DTD entities which may contain scripts. For defense-in-depth, also adds `content-disposition: attachment` for SVGs in ...
---
## Summary
Correctly strip internal DTD entities which may contain scripts. For defense-in-depth, also adds `content-disposition: attachment` for SVGs in ...
π¨ CVE-2026-53963
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, a malicious second factor name on an attacker-controlled account was not escaped in the delete confirmation dialog, allowing stored cross-site scripting when an administrator impersonated that account. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
π@cveNotify
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, a malicious second factor name on an attacker-controlled account was not escaped in the delete confirmation dialog, allowing stored cross-site scripting when an administrator impersonated that account. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
π@cveNotify
GitHub
SECURITY: Escape second factor name in delete confirmation dialog Β· discourse/discourse@40de62c
Advisory: https://github.com/discourse/discourse/security/advisories/GHSA-wg5x-7f23-m3r5
Dev topic: https://dev.discourse.org/t/stored-xss-in-2fa-delete-confirmation-modal/185684
Dev topic: https://dev.discourse.org/t/stored-xss-in-2fa-delete-confirmation-modal/185684
π¨ CVE-2026-55170
OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, when MySQL is being used as the datastore and authorization decisions rely on case-sensitive user strings, the tuple, changelog, and authorization_model identifier columns can compare case-distinct values such as user:Alice and user:alice as equivalent, causing two distinct check requests to return the same response. This issue is fixed in 1.18.0.
π@cveNotify
OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, when MySQL is being used as the datastore and authorization decisions rely on case-sensitive user strings, the tuple, changelog, and authorization_model identifier columns can compare case-distinct values such as user:Alice and user:alice as equivalent, causing two distinct check requests to return the same response. This issue is fixed in 1.18.0.
π@cveNotify
GitHub
Merge pull request #319 from openfga/feat/update-fga-1.18.0 Β· openfga/helm-charts@96d5517
bump openfga to 1.18.0
π¨ CVE-2026-55424
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, a topic "featured link" was not sufficiently normalized and escaped before being rendered in the topic list, allowing a user who can set a featured link to inject JavaScript when default Content Security Policy protections were modified or disabled. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
π@cveNotify
Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, a topic "featured link" was not sufficiently normalized and escaped before being rendered in the topic list, allowing a user who can set a featured link to inject JavaScript when default Content Security Policy protections were modified or disabled. This issue is fixed in versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5.
π@cveNotify
GitHub
SECURITY: Normalize and escape topic featured links [backport 2026.4] Β· discourse/discourse@1bce888
Backport of #767 to release/2026.4.
---
A topic `featured_link` was persisted with only minimal processing and later interpolated into a trusted HTML string when rendering the topic list, leaving...
---
A topic `featured_link` was persisted with only minimal processing and later interpolated into a trusted HTML string when rendering the topic list, leaving...
π¨ CVE-2026-55604
DeepSeek MCP Server is an MCP server for DeepSeek V4. Starting in version 1.4.2 and prior to version 1.7.0, the process-global `SessionStore` accepts caller-supplied `session_id` values without binding them to any authenticated principal or transport session. An attacker can enumerate active session IDs via `deepseek_sessions`, then reuse a victim-controlled `session_id` in `deepseek_chat` to retrieve and continue the victim's conversation context. Version 1.7.0 contains a patch.
π@cveNotify
DeepSeek MCP Server is an MCP server for DeepSeek V4. Starting in version 1.4.2 and prior to version 1.7.0, the process-global `SessionStore` accepts caller-supplied `session_id` values without binding them to any authenticated principal or transport session. An attacker can enumerate active session IDs via `deepseek_sessions`, then reuse a victim-controlled `session_id` in `deepseek_chat` to retrieve and continue the victim's conversation context. Version 1.7.0 contains a patch.
π@cveNotify
GitHub
Release v1.7.0 β Security: HTTP transport session isolation Β· arikusi/deepseek-mcp-server
Security
Cross-session data exposure in HTTP transport (high severity). The SessionStore was a process-wide singleton shared across all connected HTTP clients. In HTTP transport mode, any client th...
Cross-session data exposure in HTTP transport (high severity). The SessionStore was a process-wide singleton shared across all connected HTTP clients. In HTTP transport mode, any client th...
π¨ CVE-2026-55689
OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, OpenFGA's OIDC authenticator skipped JWT audience validation when authn.method was set to oidc, authn.oidc.issuer was configured, and authn.oidc.audience was not set, allowing a token minted for an unrelated service by the same identity provider to authenticate to OpenFGA. This issue is fixed in 1.18.0.
π@cveNotify
OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, OpenFGA's OIDC authenticator skipped JWT audience validation when authn.method was set to oidc, authn.oidc.issuer was configured, and authn.oidc.audience was not set, allowing a token minted for an unrelated service by the same identity provider to authenticate to OpenFGA. This issue is fixed in 1.18.0.
π@cveNotify
π¨ CVE-2026-57019
An Improper Validation of Specified Quantity in Input vulnerability in the Packet Forwarding Engine (pfe) of Juniper Networks Junos OS on MX Series allows an unauthenticated, adjacent attacker to cause a Denial-of-Service (DoS).
When a specific packet is received from device in the same broadcast domain, an affected system calculates the packet size incorrectly. This causes further packet processing to fail, which triggers an FPC major error, resulting in a FPC reset impacting traffic until the FPC has automatically recovered.
Affected scenarios are: MAP-T, or non-IP traffic encapsulated in IP (e.g. MPLS over GRE).
When this issue happens the following logs can be observed:
fpc<#> CMError: /fpc/0/pfe/0/cm/0/MQSS(0)/0/MQSS_CMERROR_LI_INT_REG_UNROLL_TAIL_LENGTH_OVF (0x2205eb), scope: pfe, category: functional, severity: major, module: MQSS(0), type: LI: Unroll TAIL length overflow, oc_category: default
fpc<#> Performing action reset-fru for error /fpc/0/pfe/0/cm/0/MQSS(0)/0/MQSS_CMERROR_LI_INT_REG_UNROLL_TAIL_LENGTH_OVF (0x2205eb) in module: MQSS(0) with scope: pfe category: functional level: major, oc_category: default
This issue affects Junos OS on MX Series:
* all versions before 23.2R2-S6,
* 23.4 versions before 23.4R2-S7,
* 24.2 versions before 24.2R2-S4,
* 24.4 versions before 24.4R2-S4,
* 25.2 versions before 25.2R2.
π@cveNotify
An Improper Validation of Specified Quantity in Input vulnerability in the Packet Forwarding Engine (pfe) of Juniper Networks Junos OS on MX Series allows an unauthenticated, adjacent attacker to cause a Denial-of-Service (DoS).
When a specific packet is received from device in the same broadcast domain, an affected system calculates the packet size incorrectly. This causes further packet processing to fail, which triggers an FPC major error, resulting in a FPC reset impacting traffic until the FPC has automatically recovered.
Affected scenarios are: MAP-T, or non-IP traffic encapsulated in IP (e.g. MPLS over GRE).
When this issue happens the following logs can be observed:
fpc<#> CMError: /fpc/0/pfe/0/cm/0/MQSS(0)/0/MQSS_CMERROR_LI_INT_REG_UNROLL_TAIL_LENGTH_OVF (0x2205eb), scope: pfe, category: functional, severity: major, module: MQSS(0), type: LI: Unroll TAIL length overflow, oc_category: default
fpc<#> Performing action reset-fru for error /fpc/0/pfe/0/cm/0/MQSS(0)/0/MQSS_CMERROR_LI_INT_REG_UNROLL_TAIL_LENGTH_OVF (0x2205eb) in module: MQSS(0) with scope: pfe category: functional level: major, oc_category: default
This issue affects Junos OS on MX Series:
* all versions before 23.2R2-S6,
* 23.4 versions before 23.4R2-S7,
* 24.2 versions before 24.2R2-S4,
* 24.4 versions before 24.4R2-S4,
* 25.2 versions before 25.2R2.
π@cveNotify
π¨ CVE-2026-57020
An Improper Check for Unusual or Exceptional Conditions vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on QFX10000 Series allows an unauthenticated, adjacent attacker to cause a Denial-of-Service (DoS).
On all QFX10000 platforms in an EVPN-VxLAN scenario, if an attacker sends IPv6 multicast traffic and these packets reach the non-IRB interface of a spine switch it floods the packet to other spines and all Ethernet Segment Identifier (ESI) leaf switches. This flooding causes the packet to be forwarded in a endless loop, which can lead to saturation of the involved links and in turn impact to legitimate traffic.
This issue affects Junos OS on QFX10000 Series:
* all versions before 23.2R2-S7,
* 23.4 versions before 23.4R2-S8,
* 24.2 versions before 24.2R2-S4,
* 24.4 versions before 24.4R2-S4.
This issue does not affect Junos version after 24.4 as the QFX10000 Series devices are not supported on newer versions anymore.
π@cveNotify
An Improper Check for Unusual or Exceptional Conditions vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on QFX10000 Series allows an unauthenticated, adjacent attacker to cause a Denial-of-Service (DoS).
On all QFX10000 platforms in an EVPN-VxLAN scenario, if an attacker sends IPv6 multicast traffic and these packets reach the non-IRB interface of a spine switch it floods the packet to other spines and all Ethernet Segment Identifier (ESI) leaf switches. This flooding causes the packet to be forwarded in a endless loop, which can lead to saturation of the involved links and in turn impact to legitimate traffic.
This issue affects Junos OS on QFX10000 Series:
* all versions before 23.2R2-S7,
* 23.4 versions before 23.4R2-S8,
* 24.2 versions before 24.2R2-S4,
* 24.4 versions before 24.4R2-S4.
This issue does not affect Junos version after 24.4 as the QFX10000 Series devices are not supported on newer versions anymore.
π@cveNotify