CVE-2026-0229 PAN-OS: Denial of Service in Advanced DNS Security Feature

Palo Alto Networks Security Advisories / CVE-2026-0229

CVE-2026-0229 PAN-OS: Denial of Service in Advanced DNS Security Feature

Urgency MODERATE

Severity 6.6 · MEDIUM

Exploit Maturity UNREPORTED

Response Effort MODERATE

Recovery USER

Value Density DIFFUSE

Attack Vector NETWORK

Attack Complexity LOW

Attack Requirements NONE

Automatable YES

User Interaction NONE

Product Confidentiality NONE

Product Integrity NONE

Product Availability HIGH

Privileges Required NONE

Subsequent Confidentiality NONE

Subsequent Integrity NONE

Subsequent Availability NONE

CVE JSON CSAF

Published 2026-02-11

Updated 2026-02-11

Discovered internally

Description

A denial-of-service (DoS) vulnerability in the Advanced DNS Security (ADNS) feature of Palo Alto Networks PAN-OS® software enables an unauthenticated attacker to initiate system reboots using a maliciously crafted packet. Repeated attempts to initiate a reboot causes the firewall to enter maintenance mode.

Cloud NGFW and Prisma Access® are not impacted by this vulnerability.

Product Status

Versions	Affected	Unaffected
Cloud NGFW	None	All
PAN-OS 12.1	< 12.1.4	>= 12.1.4
PAN-OS 11.2	< 11.2.10	>= 11.2.10
PAN-OS 11.1	None	All
PAN-OS 10.2	None	All
Prisma Access	None	All

Required Configuration for Exposure

The firewall must have Advanced DNS Security (ADNS) enabled and a spyware profile with actions configured to block, sinkhole, or alert (i.e., any non-allow value).

Severity: MEDIUM, Suggested Urgency: MODERATE

CVSS-BT: 6.6 / CVSS-B: 8.7 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/AU:Y/R:U/V:D/RE:M/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type and Impact

CWE-754 Improper Check for Unusual or Exceptional Conditions

CAPEC-153 Input Data Manipulation

Solution

Version	Minor Version	Suggested Solution
Cloud NGFW All		No action needed.
PAN-OS 12.1	12.1.2 through 12.1.3	Upgrade to 12.1.4 or later.
PAN-OS 11.2	11.2.0 through 11.2.9	Upgrade to 11.2.10 or later.
PAN-OS 11.1		No action needed.
PAN-OS 10.2		No action needed.
All older unsupported PAN-OS versions		Upgrade to a supported fixed version.
Prisma Access All		No action needed.

Workarounds and Mitigations

No known workarounds exist for this issue. Due to the nature of this vulnerability, a Threat Prevention Signature to detect this is also not possible.

Acknowledgments

Palo Alto Networks thanks an internal reporter, jliu@TikkalaSecurity, for discovering and reporting this issue.

CPEs

cpe:2.3:o:palo_alto_networks:pan-os:12.1.3:*:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:12.1.2:*:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.2.9:*:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.2.8:*:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:*:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.2.6:*:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.2.5:*:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:*:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.2.3:*:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.2.2:*:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.2.1:*:*:*:*:*:*:*

cpe:2.3:o:palo_alto_networks:pan-os:11.2.0:*:*:*:*:*:*:*

Show MoreShow Less

CPE Applicability

cpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)12.1.2 and up to (excluding)12.1.4
ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.2.0 and up to (excluding)11.2.10

Timeline

2026-02-11 Initial Publication