CVE-2026-33782
Description
A Missing Release of Memory after Effective Lifetime vulnerability in the DHCP daemon (jdhcpd) of Juniper Networks Junos OS on MX Series, allows an adjacent, unauthenticated attacker to cause a memory leak, that will eventually cause a complete Denial-of-Service (DoS).
In a DHCPv6 over PPPoE, or DHCPv6 over VLAN with Active lease query or Bulk lease query scenario, every subscriber logout will leak a small amount of memory. When all available memory has been exhausted, jdhcpd will crash and restart which causes a complete service impact until the process has recovered.
The memory usage of jdhcpd can be monitored with:
user@host> show system processes extensive | match jdhcpd
This issue affects Junos OS:
- all versions before 22.4R3-S1,
- 23.2 versions before 23.2R2,
- 23.4 versions before 23.4R2.
Affected products
17cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:*+ 16 more
- cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:*range: <22.4
- cpe:2.3:o:juniper:junos:22.4:-:*:*:*:*:*:*
- cpe:2.3:o:juniper:junos:22.4:r1:*:*:*:*:*:*
- cpe:2.3:o:juniper:junos:22.4:r1-s1:*:*:*:*:*:*
- cpe:2.3:o:juniper:junos:22.4:r1-s2:*:*:*:*:*:*
- cpe:2.3:o:juniper:junos:22.4:r2:*:*:*:*:*:*
- cpe:2.3:o:juniper:junos:22.4:r2-s1:*:*:*:*:*:*
- cpe:2.3:o:juniper:junos:22.4:r2-s2:*:*:*:*:*:*
- cpe:2.3:o:juniper:junos:22.4:r3:*:*:*:*:*:*
- cpe:2.3:o:juniper:junos:23.2:-:*:*:*:*:*:*
- cpe:2.3:o:juniper:junos:23.2:r1:*:*:*:*:*:*
- cpe:2.3:o:juniper:junos:23.2:r1-s1:*:*:*:*:*:*
- cpe:2.3:o:juniper:junos:23.2:r1-s2:*:*:*:*:*:*
- cpe:2.3:o:juniper:junos:23.4:-:*:*:*:*:*:*
- cpe:2.3:o:juniper:junos:23.4:r1:*:*:*:*:*:*
- cpe:2.3:o:juniper:junos:23.4:r1-s1:*:*:*:*:*:*
- cpe:2.3:o:juniper:junos:23.4:r1-s2:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- kb.juniper.net/JSA107820nvdVendor Advisory
News mentions
0No linked articles in our index yet.