CVE-2026-0264

Summary

A buffer overflow vulnerability in the DNS proxy and DNS Server features of Palo Alto Networks PAN-OS® Software allows an unauthenticated attacker with network access to cause a denial of service (DoS) condition (all PAN-OS platforms except Cloud NGFW and Prisma Access) or potentially execute arbitrary code by sending specially crafted network traffic (PA-Series hardware only).

Panorama, Cloud NGFW, and Prisma® Access are not impacted by this vulnerability.

Affected Software

VendorProductVersion RangeStatus
Palo Alto NetworksCloud NGFWAllunaffected
Palo Alto NetworksPAN-OS12.1.0 < 12.1.7, 12.1.4-h5affected
Palo Alto NetworksPAN-OS11.2.0 < 11.2.12, 11.2.10-h6, 11.2.7-h13, 11.2.4-h17affected
Palo Alto NetworksPAN-OS11.1.0 < 11.1.15, 11.1.13-h5, 11.1.10-h25, 11.1.7-h6, 11.1.6-h32, 11.1.4-h33affected
Palo Alto NetworksPAN-OS10.2.0 < 10.2.18-h6, 10.2.16-h7, 10.2.13-h21, 10.2.10-h36, 10.2.7-h34affected
Palo Alto NetworksPrisma AccessAllunaffected

Weaknesses

  • CWE-122: CWE-122 Heap-based Buffer Overflow

Workarounds

Customers can mitigate the risk of this issue by taking either of the following actions:

Action 1:

  • Disassociate DNS Proxy from externally accessible interfaces in order to reduce your attack surface; AND
  • Configure DNS server with a RFC1918 or a public trusted IP address.

OR Action 2:

  • Disable the DNS Proxy feature (Network > DNS Proxy) if it is not being used; AND
  • Configure DNS server with a RFC1918 or a public trusted IP address.

Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 510027 from Applications and Threats content version 9100-10044 and later.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

Additional References

References