CVE-2026-0280
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/AU:Y/V:D/RE:M/U:Amber
Summary
An IPv6 packet processing vulnerability in the dataplane of Palo Alto Networks PAN-OS® software enables an unauthenticated attacker to bypass firewall security policy enforcement, allowing network traffic that should be blocked to reach protected services.
Cloud NGFW and Panorama are not impacted by this vulnerability.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Palo Alto Networks | Cloud NGFW | All | unaffected |
| Palo Alto Networks | PAN-OS | 12.1.0 < 12.1.8 | affected |
| Palo Alto Networks | PAN-OS | 11.2.0 < 11.2.13 | affected |
| Palo Alto Networks | PAN-OS | 11.1.0 < 11.1.16 | affected |
| Palo Alto Networks | PAN-OS | 10.2.0 < 10.2.18-h8 | affected |
| Palo Alto Networks | Panorama | All | unaffected |
| Palo Alto Networks | Prisma Access | 11.2.0 < 11.2.7-h18 | affected |
| Palo Alto Networks | Prisma Access | 10.2.0 < 10.2.10-h39 | affected |
Weaknesses
- CWE-131: CWE-131 Incorrect Calculation of Buffer Size
Workarounds
The only way to completely address this vulnerability is to upgrade to a fixed version. However, if operationally feasible for your environment, risk can be mitigated by enabling the default "Non SYN TCP Reject" setting via the following command:
set deviceconfig setting session tcp-reject-non-syn yes
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.