CVE-2026-0243 Prisma SD-WAN: Denial of Service (DoS) Vulnerability Through IPv6 Crafted Packet

Palo Alto Networks Security Advisories / CVE-2026-0243

CVE-2026-0243 Prisma SD-WAN: Denial of Service (DoS) Vulnerability Through IPv6 Crafted Packet

Urgency MODERATE

Severity 4.9 · MEDIUM

Exploit Maturity UNREPORTED

Response Effort MODERATE

Recovery USER

Value Density DIFFUSE

Attack Vector ADJACENT

Attack Complexity LOW

Attack Requirements NONE

Automatable YES

User Interaction NONE

Product Confidentiality NONE

Product Integrity NONE

Product Availability HIGH

Privileges Required NONE

Subsequent Confidentiality NONE

Subsequent Integrity NONE

Subsequent Availability LOW

CVE JSON CSAF

Published 2026-05-13

Updated 2026-05-13

Discovered internally

Description

A denial of service (DoS) vulnerability in Palo Alto Networks Prisma SD-WAN ION devices enables an unauthenticated attacker in a network adjacent to a Prisma SD-WAN ION device to cause a system disruption by sending a specially crafted IPv6 packet.

Product Status

Versions	Affected	Unaffected
Prisma SD-WAN ION 6.5	< 6.5.3-b15	>= 6.5.3-b15
Prisma SD-WAN ION 6.4	< 6.4.3-b8	>= 6.4.3-b8
Prisma SD-WAN ION 6.3	< 6.3.6-b10	>= 6.3.6-b10
Prisma SD-WAN ION 6.1	None	All
Prisma SD-WAN ION 5.6	None	All

Note on end-of-life versions

If you are using any Prisma SD-WAN software end-of-life (EoL) versions, we recommend that you upgrade to Prisma SD-WAN 6.3.6, Prisma SD-WAN 6.4.3, or Prisma SD-WAN 6.5.3 or later.

If you are using the Prisma SD-WAN ION 6.2.4 on-prem version, we recommend that you upgrade to Prisma SD-WAN 6.2.4-b12 version.

Required Configuration for Exposure

IPv6 must be enabled on the SD-WAN ION device.

Severity: MEDIUM, Suggested Urgency: MODERATE

CVSS-BT: 4.9 / CVSS-B: 7.1 (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:U/AU:Y/R:U/V:D/RE:M/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type and Impact

CWE-606 Unchecked Input for Loop Condition

CAPEC-130 Excessive Allocation

Solution

Version	Minor Version	Suggested Solution
Prisma SD-WAN ION 6.5	6.5.1 through 6.5.3	Upgrade to 6.5.3-b15 or later.
Prisma SD-WAN ION 6.4	6.4.1 through 6.4.3	Upgrade to 6.4.3-b8 or later.
Prisma SD-WAN ION 6.3	6.3.1 through 6.3.6	Upgrade to 6.3.6-b10 or later.
Prisma SD-WAN ION 6.1		No action needed.
Prisma SD-WAN ION 5.6		No action needed.

Workarounds and Mitigations

Disable IPv6 on SD-WAN ION devices if not required.

Acknowledgments

Palo Alto Networks thanks our internal security research teams for discovering and reporting this issue.

CPE Applicability

cpe:2.3:h:palo_alto_networks:prisma_sd-wan_ion:*:*:*:*:*:*:*:* is vulnerable from (including)6.5.1 and up to (excluding)6.5.3-b15
ORcpe:2.3:h:palo_alto_networks:prisma_sd-wan_ion:*:*:*:*:*:*:*:* is vulnerable from (including)6.4.1 and up to (excluding)6.4.3-b8
ORcpe:2.3:h:palo_alto_networks:prisma_sd-wan_ion:*:*:*:*:*:*:*:* is vulnerable from (including)6.3.1 and up to (excluding)6.3.6-b10

Timeline

2026-05-13 Initial publication.