SB2026050821 - Denial of service in Junos OS bbe-smgd

Description

This security bulletin contains information about 1 vulnerability.

1) Memory leak (CVE-ID: CVE-2026-33775)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to missing release of memory after effective lifetime in the BroadBand Edge subscriber management daemon (bbe-smgd) when processing received packets with a mismatch between configured and received packet types. A remote attacker can send mismatched packets to cause a denial of service.

The issue occurs only when the authentication packet-types setting is configured inconsistently with the accepted packet type, and once memory available to bbe-smgd is exhausted, new subscribers cannot log in.

Remediation

Install update from vendor's website.

References

• https://supportportal.juniper.net/s/article/2026-04-Security-Bulletin-Junos-OS-MX-Series-Mismatch-between-configured-and-received-packet-types-causes-memory-leak-in-bbe-smgd-CVE-2026-33775
• https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H