Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:H/U:Red
Primary rating from Vendor (palo_alto) · only source for this CVE.
CVSS VectorVendor: palo_alto
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:H/U:Red
Lifecycle Timeline
4DescriptionCVE.org
A buffer overflow vulnerability in the DNS proxy and DNS Server features of Palo Alto Networks PAN-OS® Software allows an unauthenticated attacker with network access to cause a denial of service (DoS) condition (all PAN-OS platforms except Cloud NGFW and Prisma Access) or potentially execute arbitrary code by sending specially crafted network traffic (PA-Series hardware only).
Panorama, Cloud NGFW, and Prisma® Access are not impacted by this vulnerability.
AnalysisAI
Heap-based buffer overflow in the DNS proxy and DNS Server features of Palo Alto Networks PAN-OS allows unauthenticated remote attackers to trigger a denial-of-service condition across all PAN-OS platforms (except Cloud NGFW and Prisma Access) and potentially achieve arbitrary code execution on PA-Series hardware appliances via specially crafted network traffic. The flaw is rated CVSS 7.2 with high attack complexity; no public exploit identified at time of analysis and EPSS is 0.07%, but the technical impact is rated total by SSVC.
Technical ContextAI
PAN-OS is the operating system underpinning Palo Alto Networks next-generation firewalls and runs DNS proxy/server services that intercept and forward DNS traffic for security inspection and policy enforcement. The vulnerability is classified as CWE-122 (heap-based buffer overflow), indicating that malformed DNS-formatted input is parsed into a heap-allocated buffer without proper bounds checking, allowing out-of-bounds writes that corrupt adjacent heap metadata or object pointers. On PA-Series hardware, the underlying memory layout and DNS daemon process privileges permit the corruption to be steered toward arbitrary code execution, whereas on virtual/cloud-based PAN-OS deployments (excluding Cloud NGFW and Prisma Access, which are explicitly unaffected) the same overflow is reachable but only demonstrably leads to service crash and DoS. CPE coverage references palo_alto_networks:pan-os, with Cloud NGFW and Prisma Access CPEs listed only to mark them as out of scope.
RemediationAI
Vendor-released patch: upgrade PAN-OS to the fixed train applicable to your branch - 10.2.18-h6 (or the listed hotfix for earlier 10.2.x maintenance trains), 11.1.15 (or the listed 11.1.x hotfixes), 11.2.12 (or the listed 11.2.x hotfixes), or 12.1.7 / 12.1.4-h5, per the Palo Alto advisory at https://security.paloaltonetworks.com/CVE-2026-0264. As a compensating control until patching, disable the DNS proxy and DNS Server features on affected PAN-OS devices via Network > DNS Proxy and the relevant security profile / Device > Setup > Services configuration - this eliminates the attack surface but breaks any internal DNS forwarding, DNS sinkhole, and DNS-based content inspection workflows that depend on those features. Where disabling is not viable, restrict inbound reachability to the firewall's DNS proxy/server interfaces using upstream ACLs so only trusted resolvers can deliver DNS traffic to those listeners, accepting that this still leaves the attack surface exposed to any compromised upstream resolver. Panorama, Cloud NGFW, and Prisma Access require no action. Cross-reference: https://nvd.nist.gov/vuln/detail/CVE-2026-0264 and https://vuldb.com/vuln/363661.
More in Cloud Ngfw
View allAuthentication bypass in Palo Alto Networks PAN-OS allows unauthenticated network attackers to circumvent authentication
Remote code execution and denial-of-service in Palo Alto Networks PAN-OS software stems from a buffer overflow in the IK
Denial of service conditions in Palo Alto Networks PAN-OS allow unauthenticated network attackers to crash firewall data
Multiple denial-of-service conditions in Palo Alto Networks PAN-OS allow unauthenticated remote attackers to crash or de
Command injection in Palo Alto Networks PAN-OS enables an authenticated administrator to escape system-enforced restrict
Multiple command injection vulnerabilities in Palo Alto Networks PAN-OS allow an authenticated administrator to escape s
Privilege escalation in Palo Alto Networks PAN-OS on PA-Series and VM-Series firewalls and Panorama appliances allows an
Server-side request forgery in the IKEv2 implementation of Palo Alto Networks PAN-OS allows unauthenticated remote attac
Memory corruption in PAN-OS tunnel traffic processing allows an authenticated, adjacent-network attacker to force the fi
Stored cross-site scripting in Palo Alto Networks PAN-OS® web interface allows a malicious authenticated administrator t
Stored cross-site scripting in Palo Alto Networks PAN-OS allows a malicious authenticated administrator to persist a Jav
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30065
GHSA-99hw-j87x-3cgm