Skip to main content

PAN-OS EUVDEUVD-2026-30108

| CVE-2026-0262 MEDIUM
Improper Check for Unusual or Exceptional Conditions (CWE-754)
2026-05-13 palo_alto GHSA-3mc4-hxgv-pc7g
6.6
CVSS 4.0 · Vendor: palo_alto
Share

Severity by source

Vendor (palo_alto) PRIMARY
6.6 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:M/U:Amber

Primary rating from Vendor (palo_alto) · only source for this CVE.

CVSS VectorVendor: palo_alto

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:M/U:Amber
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Generated
Jun 08, 2026 - 11:00 vuln.today
Patch available
May 13, 2026 - 20:02 EUVD
CVSS changed
May 13, 2026 - 19:22 NVD
6.6 (MEDIUM)
CVE Published
May 13, 2026 - 17:49 nvd
MEDIUM 6.6
CVE Published
May 13, 2026 - 17:49 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Multiple denial of service vulnerabilities in Palo Alto Networks PAN-OS® software allow an unauthenticated attacker with network access to cause a denial of service (DoS) condition by sending specially crafted network traffic.

Panorama and Cloud NGFW are not impacted by these vulnerabilities.

AnalysisAI

Multiple denial-of-service conditions in Palo Alto Networks PAN-OS allow unauthenticated remote attackers to crash or degrade firewall availability by sending specially crafted network traffic, with a high availability impact (VA:H) on the vulnerable system. Affected deployments span PAN-OS 10.2, 11.1, 11.2, and 12.1 branches as well as Prisma Access; vendor explicitly states Panorama and Cloud NGFW are not impacted, though Cloud NGFW appears in CPE strings - a discrepancy worth verifying. No public exploit identified at time of analysis, EPSS is very low (0.05%, 16th percentile), and SSVC classifies exploitation as none with non-automatable attack patterns, collectively suggesting a patch-cycle priority rather than an emergency response.

Technical ContextAI

PAN-OS is Palo Alto Networks' proprietary operating system underpinning its next-generation firewall (NGFW) hardware and virtual appliances, as well as the Prisma Access cloud-delivered security service. The root cause is CWE-754 (Improper Check for Unusual or Exceptional Conditions), meaning the PAN-OS network processing code fails to properly handle malformed, unexpected, or edge-case input in certain protocol parsers or traffic handlers. When such input is received, the affected process does not gracefully recover, resulting in an availability loss (DoS). The CVSS 4.0 vector AT:N (no attack requirements) indicates no special non-default configuration is required on the firewall to trigger the condition, though the SSVC Automatable:no determination suggests that producing reliably effective crafted traffic requires specific knowledge or targeting rather than generic scanning. Affected CPE strings cover cpe:2.3:a:palo_alto_networks:pan-os and cpe:2.3:a:palo_alto_networks:prisma_access across broad version ranges.

RemediationAI

Upgrade to a vendor-patched release per the affected version matrix: for PAN-OS 10.2, target 10.2.18-h6, 10.2.16-h7, 10.2.13-h21, 10.2.10-h36, or 10.2.7-h34 depending on the current maintenance track; for PAN-OS 11.1, target 11.1.15, 11.1.13-h5, 11.1.10-h25, 11.1.7-h6, 11.1.6-h32, or 11.1.4-h33; for PAN-OS 11.2, target 11.2.12, 11.2.10-h6, 11.2.7-h13, or 11.2.4-h17; for PAN-OS 12.1, target 12.1.7 or 12.1.4-h5. For Prisma Access, target 10.2.10-h36 (10.2 track) or 11.2.7-h13 (11.2 track). Full details and download links are available at the official vendor advisory: https://security.paloaltonetworks.com/CVE-2026-0262. As an interim compensating control while patching is scheduled, restrict network access to PAN-OS management interfaces using management interface security profiles or out-of-band management networks to reduce the attack surface; note this may not fully mitigate vulnerabilities triggered via data-plane traffic. Panorama and Cloud NGFW deployments do not require action per the vendor advisory.

CVE-2026-0265 HIGH
7.2 May 13

Authentication bypass in Palo Alto Networks PAN-OS allows unauthenticated network attackers to circumvent authentication

CVE-2026-0264 HIGH
7.2 May 13

Heap-based buffer overflow in the DNS proxy and DNS Server features of Palo Alto Networks PAN-OS allows unauthenticated

CVE-2026-0263 HIGH
7.2 May 13

Remote code execution and denial-of-service in Palo Alto Networks PAN-OS software stems from a buffer overflow in the IK

CVE-2026-0287 MEDIUM
6.6 Jul 09

Denial of service conditions in Palo Alto Networks PAN-OS allow unauthenticated network attackers to crash firewall data

CVE-2026-0273 MEDIUM
6.1 Jun 10

Command injection in Palo Alto Networks PAN-OS enables an authenticated administrator to escape system-enforced restrict

CVE-2026-0261 MEDIUM
6.1 May 13

Multiple command injection vulnerabilities in Palo Alto Networks PAN-OS allow an authenticated administrator to escape s

CVE-2026-0272 MEDIUM
6.0 Jun 10

Privilege escalation in Palo Alto Networks PAN-OS on PA-Series and VM-Series firewalls and Panorama appliances allows an

CVE-2026-0258 MEDIUM
4.8 May 13

Server-side request forgery in the IKEv2 implementation of Palo Alto Networks PAN-OS allows unauthenticated remote attac

CVE-2026-0269 MEDIUM
4.6 Jun 10

Memory corruption in PAN-OS tunnel traffic processing allows an authenticated, adjacent-network attacker to force the fi

CVE-2026-0256 MEDIUM
4.4 May 13

Stored cross-site scripting in Palo Alto Networks PAN-OS® web interface allows a malicious authenticated administrator t

CVE-2026-0266 LOW
1.1 Jun 10

Stored cross-site scripting in Palo Alto Networks PAN-OS allows a malicious authenticated administrator to persist a Jav

Share

EUVD-2026-30108 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy