DoS via Missing Sync in Junos OS Evolved QFX sFlow Collector
CVE-2026-57029 Published on July 9, 2026
Junos OS Evolved: QFX Series: When sFlow collector reachability changes evo-pfemand process can crash
A Missing Synchronization vulnerability in the flow collector handler of Juniper Networks Junos OS Evolved on QFX Series allows an adjacent, unauthenticated attacker to cause a Denial-of-Service (DoS).
When the reachability of an sFlow collector changes, the corresponding next-hop entry is updated. If this update occurs simultaneously with the sFlow thread accessing the next-hop data (which is outside the attackers control), it causes the evo-pfemand process to crash, impacting all traffic forwarding until the automatic process restart has completed.
This issue affects Junos OS Evolved on QFX Series:
* all 23.2 versions,
* 23.4 versions before 23.4R2-S7-EVO,
* 24.2 versions before 24.2R2-S5-EVO,
* 24.4 versions before 24.4R2-S3-EVO,
* 25.2 versions before 25.2R2-EVO.
Vulnerability Analysis
Weakness Type
Missing Synchronization
The software utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource. If access to a shared resource is not synchronized, then the resource may not be in a state that is expected by the software. This might lead to unexpected or insecure behaviors, especially if an attacker can influence the shared resource.
Products Associated with CVE-2026-57029
Want to know whenever a new CVE is published for Juniper Networks Junos Os Evolved? stack.watch will email you.
Affected Versions
Juniper Networks Junos OS Evolved:- Before 23.4R2-S7-EVO is affected.
- Version 24.2 and below 24.2R2-S5-EVO is affected.
- Version 24.4 and below 24.4R2-S3-EVO is affected.
- Version 25.2 and below 25.2R2-EVO is affected.