EUVD-2026-36145
GHSA-v62p-f565-pfxr
Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:D/RE:M/U:Amber
Adjacent vector for tunnel-interface-adjacent requirement, low privilege for authenticated user, unchanged scope, availability-only impact with no confidentiality or integrity effects.
Primary rating from Vendor (palo_alto).
CVSS VectorVendor: palo_alto
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:D/RE:M/U:Amber
Lifecycle Timeline
2DescriptionCVE.org
A memory corruption vulnerability in the processing of tunnel traffic in Palo Alto Networks PAN-OS® software allows an authenticated user to initiate system reboots using a maliciously crafted packet. Repeated attempts to initiate a reboot causes the firewall to enter maintenance mode.
Panorama, Cloud NGFW, and Prisma® Access are not impacted by this vulnerability.
AnalysisAI
Memory corruption in PAN-OS tunnel traffic processing allows an authenticated, adjacent-network attacker to force the firewall into unplanned reboots or maintenance mode via a crafted packet, constituting a denial-of-service against the firewall itself. The CVSS 4.0 vector (AV:A/PR:L/VA:H) confirms the impact is purely availability - no confidentiality or integrity loss - and exploitation requires both authenticated access and adjacency to the tunnel interface. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two concrete prerequisites: (1) the attacker must be authenticated to the PAN-OS system (PR:L - at minimum a low-privileged user account), and (2) the attacker must be on an adjacent network segment with the ability to send tunnel traffic to the firewall (AV:A). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 4.6 (Medium) accurately reflects limited real-world priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated attacker with access to the same network segment as a PAN-OS firewall's tunnel interface crafts a malformed tunnel packet designed to trigger the improper condition check in the tunnel traffic processor, causing memory corruption and an unplanned firewall reboot. Repeating this sequence of crafted packets in rapid succession forces the firewall to escalate into maintenance mode, taking it offline and disrupting all traffic it was inspecting or routing. … |
| Remediation | Consult the Palo Alto Networks security advisory at https://security.paloaltonetworks.com/CVE-2026-0269 for exact patched PAN-OS version numbers; no specific fix version was available in the data at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Command injection in Palo Alto Networks PAN-OS enables an authenticated administrator to escape system-enforced restrict
Privilege escalation in Palo Alto Networks PAN-OS on PA-Series and VM-Series firewalls and Panorama appliances allows an
Privilege escalation in Palo Alto Networks Prisma Access Agent on Linux allows a locally authenticated low-privileged us
Path traversal in Palo Alto Networks Cortex XSOAR engine on Linux enables arbitrary file write to the host system by an
GlobalProtect app on macOS exposes administrator-configured passcodes - used to restrict disabling, disconnecting, or un
Share
External POC / Exploit Code
Leaving vuln.today