A high-severity vulnerability has been identified in the DNS module of Juniper Networks Junos OS on SRX Series devices. This flaw, tracked as CVE-2026-21920, can be exploited by an unauthenticated attacker over the network to cause a Denial of Service (DoS), potentially leading to a complete network outage for services protected by the affected firewall.

The vulnerability is an "Unchecked Return Value" in the device's DNS processing functionality. An unauthenticated, network-based attacker can send a specially crafted DNS query to an affected SRX device. When the system processes this malicious query, a function within the DNS module fails but the software does not properly check for this failure state, causing the program to continue execution with invalid data, which ultimately leads to a process crash and a Denial of Service (DoS) condition for the entire device.

This vulnerability is rated as High severity with a CVSS score of 7.5. Successful exploitation would result in a Denial of Service, causing the SRX firewall to become unresponsive and stop forwarding traffic. This can lead to significant business disruption, including loss of internet connectivity, unavailability of critical applications, and disruption of VPN services. The potential for a complete network outage poses a direct risk to business continuity, operational stability, and brand reputation.

Immediate Action: Apply the security updates provided by Juniper Networks immediately to all affected SRX Series devices. After patching, monitor system logs and network traffic for any signs of exploitation attempts or anomalous behavior related to the DNS service.

Proactive Monitoring: Security teams should monitor for unexpected reboots or crashes of SRX devices. Review device logs for errors related to the DNS process (e.g., flowd). Monitor DNS traffic for unusual query patterns or sources targeting the affected devices, which could indicate scanning or exploitation attempts.

Compensating Controls: If immediate patching is not feasible, consider implementing the following controls:

• Restrict access to the SRX device's DNS proxy/forwarding service to trusted internal IP ranges only.
• Implement rate-limiting for DNS queries on upstream network devices to mitigate the impact of automated attack tools.
• If possible, offload DNS resolution to a dedicated, secure DNS server infrastructure instead of using the firewall's built-in capabilities.

Public Exploit Available: false

This vulnerability presents a significant risk of network disruption to the organization. Due to the high severity (CVSS 7.5) and the fact that an attacker requires no authentication, we strongly recommend that the vendor-supplied patches be applied as a top priority. While this CVE is not currently on the CISA KEV list, its characteristics make it an attractive target for attackers seeking to cause disruption. Organizations should prioritize patching and implement the recommended monitoring controls to prevent a potentially impactful Denial of Service event.