CVE-2026-0280

Summary

An IPv6 packet processing vulnerability in the dataplane of Palo Alto Networks PAN-OS® software enables an unauthenticated attacker to bypass firewall security policy enforcement, allowing network traffic that should be blocked to reach protected services.

Cloud NGFW and Panorama are not impacted by this vulnerability.

Affected Software

VendorProductVersion RangeStatus
Palo Alto NetworksCloud NGFWAllunaffected
Palo Alto NetworksPAN-OS12.1.0 < 12.1.8affected
Palo Alto NetworksPAN-OS11.2.0 < 11.2.13affected
Palo Alto NetworksPAN-OS11.1.0 < 11.1.16affected
Palo Alto NetworksPAN-OS10.2.0 < 10.2.18-h8affected
Palo Alto NetworksPanoramaAllunaffected
Palo Alto NetworksPrisma Access11.2.0 < 11.2.7-h18affected
Palo Alto NetworksPrisma Access10.2.0 < 10.2.10-h39affected

Weaknesses

  • CWE-131: CWE-131 Incorrect Calculation of Buffer Size

Workarounds

The only way to completely address this vulnerability is to upgrade to a fixed version. However, if operationally feasible for your environment, risk can be mitigated by enabling the default "Non SYN TCP Reject" setting via the following command: 

 set deviceconfig setting session tcp-reject-non-syn yes

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References