Palo Alto Networks Security Advisories / CVE-2021-3038

CVE-2021-3038 GlobalProtect App: Windows VPN kernel driver denial of service (DoS)

Severity 5.5 · MEDIUM
Attack Vector LOCAL
Attack Complexity LOW
Privileges Required LOW
User Interaction NONE
Confidentiality Impact NONE
Integrity Impact NONE
Availability Impact HIGH


A denial-of-service (DoS) vulnerability in Palo Alto Networks GlobalProtect app on Windows systems allows a limited Windows user to send specifically-crafted input to the GlobalProtect app that results in a Windows blue screen of death (BSOD) error.

This issue impacts:

GlobalProtect app 5.1 versions earlier than GlobalProtect app 5.1.8;

GlobalProtect app 5.2 versions earlier than GlobalProtect app 5.2.4.

Product Status

GlobalProtect App 5.2< 5.2.4 on Windows>= 5.2.4 on Windows
GlobalProtect App 5.1< 5.1.8 on Windows>= 5.1.8 on Windows

Severity: MEDIUM

CVSSv3.1 Base Score: 5.5 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-20 Improper Input Validation

CWE-248 Uncaught Exception


This issue is fixed in GlobalProtect app 5.1.8, GlobalProtect app 5.2.4, and all later GlobalProtect app versions.

Workarounds and Mitigations


Palo Alto Networks thanks Christophe Schleypen from NCIA / NCIRC for discovering and reporting this issue.


Initial publication
© 2020 Palo Alto Networks, Inc. All rights reserved.