SB2025041501 - Missing release of memory after effective lifetime in Juniper Junos OS

Security Bulletin ID SB2025041501

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Missing release of memory after effective lifetime (CVE-ID: CVE-2025-30658)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to missing release of memory after effective lifetime error in the Anti-Virus processing. A remote non-authenticated attacker can cause a Denial-of-Service (DoS).

On all SRX platforms with Anti-Virus enabled, if a server sends specific content in the HTTP body of a response to a client request, these packets are queued by Anti-Virus processing in Juniper Buffers (jbufs) which are never released.

When these jbufs are exhausted, the device stops forwarding all transit traffic.

Remediation

Install update from vendor's website.

References

https://supportportal.juniper.net/s/article/2025-04-Security-Bulletin-Junos-OS-SRX-Series-On-devices-with-Anti-Virus-enabled-malicious-server-responses-will-cause-memory-to-leak-ultimately-causing-forwarding-to-stop-CVE-2025-30658