CVE-2026-0263

Summary

A buffer overflow vulnerability in the IKEv2 processing of Palo Alto Networks PAN-OS® software allows an unauthenticated network-based attacker to execute arbitrary code with elevated privileges on the firewall, or cause a denial of service (DoS) condition.

Panorama, Cloud NGFW, and Prisma® Access are not impacted by these vulnerabilities.

Affected Software

VendorProductVersion RangeStatus
Palo Alto NetworksCloud NGFWAllunaffected
Palo Alto NetworksPAN-OS12.1.0 < 12.1.7, 12.1.4-h5affected
Palo Alto NetworksPAN-OS11.2.0 < 11.2.12, 11.2.10-h6, 11.2.7-h13, 11.2.4-h17affected
Palo Alto NetworksPAN-OS11.1.0 < 11.1.15, 11.1.13-h5, 11.1.10-h25, 11.1.7-h6, 11.1.6-h32, 11.1.4-h33affected
Palo Alto NetworksPAN-OS10.2.0unaffected
Palo Alto NetworksPrisma AccessAllunaffected

Weaknesses

  • CWE-787: CWE-787 Out-of-bounds Write

Workarounds

Customers using IKEv2 VPN can mitigate this issue by configuring IKEv2 VPN tunnels only with NIST approved Post Quantum Cryptography (PQC) ciphers.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References