Introduction
A malformed ICMPv6 packet sent to a Juniper SRX Series firewall performing NAT64 translation can crash the packet forwarding engine, and an attacker who keeps sending that packet can hold the device in a sustained outage. CVE-2026-33790 carries a CVSS v3.1 score of 7.5 and a CVSS v4.0 score of 8.7, reflecting the fact that this is a remotely exploitable, unauthenticated denial of service condition affecting a widely deployed class of network security appliance.
Juniper's SRX Series firewalls are a staple of enterprise and service provider networks, serving as perimeter security devices in data centers, campus environments, and large branch offices. With Juniper Networks now part of HPE, the SRX platform's installed base is substantial. Any vulnerability that can take an SRX offline with a single packet warrants close attention from network and security operations teams.
Technical Information
Root Cause
CVE-2026-33790 is classified under CWE-754: Improper Check for Unusual or Exceptional Conditions. The vulnerability resides in the flow daemon (flowd) of Junos OS, specifically in how the srxpfe process (the SRX Packet Forwarding Engine) handles ICMPv6 packets during NAT64 translation. When a specific malformed ICMPv6 packet destined to the device itself arrives and enters the NAT64 translation path, the srxpfe process encounters an unhandled exceptional condition and crashes.
The core issue is a missing validation step. The code path responsible for processing ICMPv6 packets within the NAT64 translation flow does not perform adequate bounds checking or input validation on certain malformed packet structures. When the malformed packet reaches this unprotected code path, it triggers a fatal error in srxpfe, causing the process to crash and restart.
CVSS Metrics
| Metric Category | CVSS v3.1 | CVSS v4.0 |
|---|---|---|
| Base Score | 7.5 HIGH | 8.7 HIGH |
| Vector String | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/AU:Y/R:A/V:C/RE:M/U:Amber |
| Attack Vector | Network | Network |
| Attack Complexity | Low | Low |
| Privileges Required | None | None |
| User Interaction | None | None |
| Availability Impact | High | High |
Exploit Preconditions
The scope of this vulnerability is narrow but carries a high impact for exposed configurations:
- The target must be a Juniper SRX Series device running a vulnerable version of Junos OS.
- The device must have an active NAT64 (IPv6 to IPv4 translation) configuration.
- The attacker must be able to route a malformed ICMPv6 packet to the device.
Environments not actively performing NAT64 translation on their SRX devices are not exposed to this attack vector, regardless of Junos OS version. The issue also cannot be triggered using IPv4 traffic or other standard IPv6 traffic.
Attack Flow
Based on the advisory details, the exploitation sequence proceeds as follows:
- The attacker identifies a target SRX Series device with NAT64 enabled and IPv6 reachability.
- The attacker crafts a specific malformed ICMPv6 packet and sends it to the device. The packet must be destined to the device itself (not simply transiting it) and must enter the NAT64 translation path.
- When
flowdprocesses this packet through the NAT64 translation logic, thesrxpfeprocess encounters the unhandled condition and crashes. - The
srxpfeprocess restarts automatically, but the attacker can immediately send another malformed packet. - By continuously sending these packets, the attacker forces
srxpfeinto a repeated crash loop, sustaining the Denial of Service condition and disrupting all traffic processing on the device.
The attack requires no authentication, no user interaction, and low complexity. The only requirement is network reachability to the target device over IPv6.
Patch Information
Juniper Networks published security advisory JSA107874 on April 8, 2026, delivering official firmware level patches across multiple supported Junos OS release trains for the SRX Series. The fix adds proper validation and bounds checking for malformed ICMPv6 packets before they reach the crash inducing code path. After patching, the srxpfe process will gracefully reject malformed ICMPv6 packets rather than crashing and restarting.
The following Junos OS releases contain the fix:
| Release Train | Fixed Version |
|---|---|
| 21.2 | 21.2R3-S10 |
| 21.4 | 21.4R3-S12 |
| 22.4 | 22.4R3-S9 |
| 23.2 | 23.2R2-S6 |
| 23.4 | 23.4R2-S7 |
| 24.2 | 24.2R2-S3 |
| 24.4 | 24.4R2-S3 |
| 25.2 | 25.2R1-S2 or 25.2R2 |
| 25.4 | 25.4R1 (and all subsequent releases) |
End of Life branches with no fix available: The 21.3 and 22.1 release branches have no patch available. All versions within those trains remain vulnerable because those branches have reached Juniper's End of Engineering (EOE) or End of Life (EOL) status, and Juniper's SIRT policy does not backport fixes to them. Organizations still running 21.3 or 22.1 on SRX Series devices must upgrade to a supported train with the fix applied.
The 22.2 branch implies a fix boundary at 22.2R3-S8 (since the advisory states versions "from 22.2 before 22.2R3-S8" are affected), though this version is notably absent from the official Solution list, suggesting 22.2 may also be near or at EOL.
Juniper is tracking this fix internally under bug PR1897060. The advisory confirms there are no workarounds for this vulnerability, making upgrading to a patched firmware the only remediation path. Only SRX Series devices configured with NAT64 are affected, so the fix is specifically relevant to environments with that configuration active.
Detection Methods
Detecting CVE-2026-33790 requires a layered approach combining proactive vulnerability scanning with behavioral monitoring on Juniper SRX Series devices.
Vulnerability Scanning with Nessus
Tenable has published a dedicated Nessus plugin, Plugin ID 305588 (file: juniper_jsa107874.nasl), under the "Junos Local Security Checks" family, released on April 8, 2026. This plugin performs a version based check against the device's self reported Junos OS version, using the Host/Juniper/model and Host/Juniper/JUNOS/Version knowledge base items collected during credentialed scans. It does not attempt to exploit the vulnerability; it simply compares the running Junos OS version against the list of known affected releases to flag at risk devices. Organizations running Nessus or Tenable products should ensure this plugin is included in their scan policies targeting SRX infrastructure.
Version Based Identification
Even without automated scanning, defenders can manually audit their SRX fleet for exposure. The Juniper advisory (JSA107874) provides a precise enumeration of affected Junos OS versions. Any SRX device running a version within the affected ranges warrants immediate investigation. The show version command on Junos OS will display the current release.
Configuration Exposure Check
A critical prerequisite for this vulnerability is the presence of a NAT64 configuration on the SRX device. The Juniper advisory explicitly notes this by providing example configuration stanzas, such as NAT source pools with IPv4 addresses, rule sets matching IPv6 source addresses with a 0.0.0.0/0 destination, and static NAT rule sets using static-nat inet under a destination IPv6 /96 prefix. Defenders should audit their SRX configurations and identify all devices with active NAT64 rule sets, as these are the only ones exposed to this attack vector. Devices without NAT64 configurations are not vulnerable regardless of their Junos OS version.
Behavioral Monitoring for Active Exploitation
Since this vulnerability causes the srxpfe process to crash and restart when a malformed ICMPv6 packet is received during NAT64 translation, repeated or unexpected srxpfe process crashes are a key behavioral indicator that exploitation may be underway. Security operations teams should monitor device logs and SNMP traps for signs of recurring srxpfe restarts on SRX devices with NAT64 enabled. A pattern of repeated crashes, particularly coinciding with elevated ICMPv6 traffic, should be treated as a strong indicator of attack attempts and investigated promptly.
Gaps in Detection Coverage
As of the time of writing, no IDS/IPS signatures (such as Snort or Suricata rules), YARA rules, or Sigma detection rules have been published specifically for CVE-2026-33790. There are also no known traditional Indicators of Compromise such as file hashes or malicious IP addresses, which is consistent with this being a network based DoS vulnerability rather than a malware related threat. Detection therefore relies primarily on version auditing, configuration review, and process crash monitoring rather than signature based network detection.
Affected Systems and Versions
The vulnerability affects Juniper Networks Junos OS exclusively on the SRX Series platform. The following version ranges are affected:
| Junos OS Train | Affected Versions | Fix Status |
|---|---|---|
| 21.2 | All versions before 21.2R3-S10 | Fixed in 21.2R3-S10 |
| 21.3 | All versions (entire train) | No fix available; EOE/EOL |
| 21.4 | From 21.4 before 21.4R3-S12 | Fixed in 21.4R3-S12 |
| 22.1 | All versions (entire train) | No fix available; EOE/EOL |
| 22.2 | From 22.2 before 22.2R3-S8 | Fix boundary at 22.2R3-S8 (possibly near EOL) |
| 22.4 | All versions before 22.4R3-S9 | Fixed in 22.4R3-S9 |
| 23.2 | From 23.2 before 23.2R2-S6 | Fixed in 23.2R2-S6 |
| 23.4 | From 23.4 before 23.4R2-S7 | Fixed in 23.4R2-S7 |
| 24.2 | From 24.2 before 24.2R2-S3 | Fixed in 24.2R2-S3 |
| 24.4 | From 24.4 before 24.4R2-S3 | Fixed in 24.4R2-S3 |
| 25.2 | From 25.2 before 25.2R1-S2 or 25.2R2 | Fixed in 25.2R1-S2 or 25.2R2 |
Required configuration: Only SRX Series devices with an active NAT64 (IPv6 to IPv4 translation) configuration are vulnerable. Devices without NAT64 configured are not affected regardless of their Junos OS version.
Vendor Security History
The SRX Series platform has a notable history of being targeted by threat actors. In 2023, multiple Juniper SRX vulnerabilities were listed among the top routinely exploited vulnerabilities by malicious cyber actors, as documented in a joint advisory published by CISA and partner agencies (advisory AA24-317A). Specifically, flaws such as CVE-2023-36844 affecting Junos OS on SRX Series were heavily targeted in the wild. This historical pattern of rapid weaponization of Juniper edge device vulnerabilities provides important context for CVE-2026-33790. Attackers have demonstrated both the capability and the intent to exploit SRX vulnerabilities quickly after disclosure, which argues for treating this advisory with urgency even in the absence of confirmed exploitation today.
References
- NVD: CVE-2026-33790
- CVE Record: CVE-2026-33790
- MITRE CVE Entry: CVE-2026-33790
- Juniper KB: JSA107874
- Juniper Support Portal: 2026-04 Security Bulletin for SRX Series
- Tenable CVE Page: CVE-2026-33790
- Tenable Nessus Plugin 305588
- Tenable Nessus Plugin 305588 Dependencies
- Tenable Nessus Plugin 305588 Dependents
- Feedly CVE Tracking: CVE-2026-33790
- CISA Advisory AA24-317A: 2023 Top Routinely Exploited Vulnerabilities
- DoD/NSA: 2023 Top Routinely Exploited Vulnerabilities (PDF)
- HK GovCERT Security Alert (A26-04-11)
- CSIRT Senegal Advisory: Juniper Networks Vulnerabilities (April 2026)
