CVE-2026-0280 PAN-OS: IPv6 Firewall Policy Bypass
Description
An IPv6 packet processing vulnerability in the dataplane of Palo Alto Networks PAN-OS® software enables an unauthenticated attacker to bypass firewall security policy enforcement, allowing network traffic that should be blocked to reach protected services.
Cloud NGFW and Panorama are not impacted by this vulnerability.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | None | All |
| PAN-OS 12.1 | < 12.1.4-h8 < 12.1.7-h2 < 12.1.8 | >= 12.1.4-h8 >= 12.1.7-h2 >= 12.1.8 |
| PAN-OS 11.2 | < 11.2.4-h20 < 11.2.7-h18 < 11.2.10-h11 < 11.2.13 | >= 11.2.4-h20 >= 11.2.7-h18 >= 11.2.10-h11 >= 11.2.13 |
| PAN-OS 11.1 | < 11.1.4-h35 < 11.1.6-h35 < 11.1.7-h8 < 11.1.10-h30 < 11.1.13-h9 < 11.1.16 | >= 11.1.4-h35 >= 11.1.6-h35 >= 11.1.7-h8 >= 11.1.10-h30 >= 11.1.13-h9 >= 11.1.16 |
| PAN-OS 10.2 | < 10.2.7-h36 < 10.2.10-h39 < 10.2.13-h23 < 10.2.16-h9 < 10.2.18-h8 | >= 10.2.7-h36 >= 10.2.10-h39 >= 10.2.13-h23 >= 10.2.16-h9 >= 10.2.18-h8 |
| Panorama | None | All |
| Prisma Access 11.2.0 | < 11.2.7-h18* | >= 11.2.7-h18* |
| Prisma Access 10.2.0 | < 10.2.10-h39* | >= 10.2.10-h39* |
* Palo Alto Networks will upgrade all customers during the next scheduled maintenance cycle. Customers who prefer an upgrade prior to this cycle should contact Palo Alto Networks Support to schedule an on-demand software upgrade window.
Required Configuration for Exposure
This issue applies to PAN-OS firewalls with IPv6 enabled on one or more interfaces.
You can verify IPv6 is enabled by checking:
Network -> Interfaces -> [Interface with Layer3 type] -> IPv6 > Enable IPv6 on the interface
Severity: LOW, Suggested Urgency: MODERATE
CVSS-BT: 1.7 / CVSS-B: 6.3 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/AU:Y/V:D/RE:M/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type and Impact
CWE-131 Incorrect Calculation of Buffer Size
CAPEC-153 Input Data Manipulation
Solution
| Version | Minor Version | Suggested Solution |
|---|---|---|
| Cloud NGFW | No action needed. | |
| PAN-OS 12.1 |
12.1.5 through 12.1.7-h* | Upgrade to 12.1.7-h2 or 12.1.8 or later. |
| 12.1.2 through 12.1.4-h* | Upgrade to 12.1.4-h8 or 12.1.8 or later. | |
| PAN-OS 11.2 |
11.2.11 through 11.2.12 | Upgrade to 11.2.13 or later. |
| 11.2.8 through 11.2.10-h* | Upgrade to 11.2.10-h11 or 11.2.13 or later. | |
| 11.2.5 through 11.2.7-h* | Upgrade to 11.2.7-h18 or 11.2.13 or later. | |
| 11.2.0 through 11.2.4-h* | Upgrade to 11.2.4-h20 or 11.2.13 or later. | |
| PAN-OS 11.1 |
11.1.14 through 11.1.15 | Upgrade to 11.1.16 or later. |
| 11.1.11 through 11.1.13-h* | Upgrade to 11.1.13-h9 or 11.1.16 or later. | |
| 11.1.8 through 11.1.10-h* | Upgrade to 11.1.10-h30 or 11.1.16 or later. | |
| 11.1.7 through 11.1.7-h* | Upgrade to 11.1.7-h8 or 11.1.16 or later. | |
| 11.1.5 through 11.1.6-h* | Upgrade to 11.1.6-h35 or 11.1.16 or later. | |
| 11.1.0 through 11.1.4-h* | Upgrade to 11.1.4-h35 or 11.1.16 or later. | |
| PAN-OS 10.2 |
10.2.17 through 10.2.18-h* | Upgrade to 10.2.18-h8 or later. |
| 10.2.14 through 10.2.16-h* | Upgrade to 10.2.16-h9 or later. | |
| 10.2.11 through 10.2.13-h* | Upgrade to 10.2.13-h23 or later. | |
| 10.2.8 through 10.2.10-h* | Upgrade to 10.2.10-h39 or later. | |
| 10.2.0 through 10.2.7-h* | Upgrade to 10.2.7-h36 or later. | |
| All older unsupported PAN-OS versions | Upgrade to a supported fixed version. | |
| Prisma Access 11.2 | 11.2.0 through 11.2.7 | Upgrade to 11.2.7-h18 or later.* |
| Prisma Access 10.2 | 10.2.0 through 10.2.10 | Upgrade to 10.2.10-h39 or later.* |
* See the note under Product Status for information regarding Prisma Access upgrades.
Workarounds and Mitigations
The only way to completely address this vulnerability is to upgrade to a fixed version. However, if operationally feasible for your environment, risk can be mitigated by enabling the default "Non SYN TCP Reject" setting via the following command:
set deviceconfig setting session tcp-reject-non-syn yesAcknowledgments
CPEs
cpe:2.3:o:palo_alto_networks:pan-os:12.1.7:-:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.6:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.5:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.4:h6:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.4:h5:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.4:h3:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.4:h2:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.4:-:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.3:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.2:*:*:*:*:*:*:*
CPE Applicability
- cpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)12.1.0 and up to (excluding)12.1.8
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)12.1.7 and up to (excluding)12.1.7-h2
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)12.1.4 and up to (excluding)12.1.4-h8
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.2.0 and up to (excluding)11.2.13
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.2.10 and up to (excluding)11.2.10-h11
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.2.7 and up to (excluding)11.2.7-h18
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.2.4 and up to (excluding)11.2.4-h20
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.0 and up to (excluding)11.1.16
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.13 and up to (excluding)11.1.13-h9
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.10 and up to (excluding)11.1.10-h30
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.7 and up to (excluding)11.1.7-h8
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.6 and up to (excluding)11.1.6-h35
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.4 and up to (excluding)11.1.4-h35
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.18 and up to (excluding)10.2.18-h8
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.16 and up to (excluding)10.2.16-h9
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.13 and up to (excluding)10.2.13-h23
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.10 and up to (excluding)10.2.10-h39
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.7 and up to (excluding)10.2.7-h36
- or
- cpe:2.3:o:palo_alto_networks:prisma_access:*:*:*:*:*:*:*:* is vulnerable from (including)11.2.7 and up to (excluding)11.2.7-h18
- ORcpe:2.3:o:palo_alto_networks:prisma_access:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.10 and up to (excluding)10.2.10-h39