CVE-2026-0287 PAN-OS: Denial of Service Vulnerabilities in Network Traffic Processing
Description
Multiple denial of service vulnerabilities in Palo Alto Networks PAN-OS® software allow an unauthenticated attacker with network access to cause a denial of service (DoS) condition by sending specially crafted network traffic to or through a dataplane interface. Repeated attempts to trigger this condition result in the firewall entering maintenance mode.
Panorama is not impacted by these vulnerabilities.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | All on AWS All on Azure | None on AWS None on Azure |
| PAN-OS 12.1 | < 12.1.4-h8 < 12.1.7-h2 < 12.1.8 | >= 12.1.4-h8 >= 12.1.7-h2 >= 12.1.8 |
| PAN-OS 11.2 | < 11.2.4-h20 < 11.2.7-h18 < 11.2.10-h12 < 11.2.13 | >= 11.2.4-h20 >= 11.2.7-h18 >= 11.2.10-h12 >= 11.2.13 |
| PAN-OS 11.1 | < 11.1.4-h35 < 11.1.6-h35 < 11.1.7-h8 < 11.1.10-h30 < 11.1.13-h9 < 11.1.16 | >= 11.1.4-h35 >= 11.1.6-h35 >= 11.1.7-h8 >= 11.1.10-h30 >= 11.1.13-h9 >= 11.1.16 |
| PAN-OS 10.2 | < 10.2.7-h36 < 10.2.10-h39 < 10.2.13-h23 < 10.2.16-h9 < 10.2.18-h8 | >= 10.2.7-h36 >= 10.2.10-h39 >= 10.2.13-h23 >= 10.2.16-h9 >= 10.2.18-h8 |
| Prisma Access 11.2.0 | < 11.2.7-h18* | >= 11.2.7-h18* |
| Prisma Access 10.2.0 | < 10.2.10-h39* | >= 10.2.10-h39* |
* Prisma® Access and Cloud NGFW have built-in resilience to mitigate disruptive network traffic and maintain service availability. Palo Alto Networks will upgrade all customers during the next scheduled maintenance cycle. Customers who prefer an upgrade prior to this cycle should contact Palo Alto Networks Support to schedule an on-demand software upgrade window.
Required Configuration for Exposure
No special configuration is required to be affected by this issue.
Severity: MEDIUM, Suggested Urgency: MODERATE
CVSS-BT: 6.6 / CVSS-B: 8.7 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:C/RE:M/U:Amber)
The risk of exploitation is lower for Prisma Access as it requires an authenticated user and the external network access to the dataplane interface is restricted.
MEDIUM
- CVSS-BT: 4.6 /CVSS-B: 6.9 (CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:C/RE:M/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type and Impact
CWE-754 Improper Check for Unusual or Exceptional Conditions
CAPEC-153 Input Data Manipulation
Solution
| Version | Minor Version Range | Suggested Solution |
|---|---|---|
| Cloud NGFW | Customers who prefer to upgrade can work with Palo Alto Networks support to schedule an on-demand software upgrade. | |
| PAN-OS 12.1 | 12.1.5 through 12.1.7-h* | Upgrade to 12.1.7-h2 or 12.1.8 or later. |
| 12.1.2 through 12.1.4-h* | Upgrade to 12.1.4-h8 or 12.1.8 or later. | |
| PAN-OS 11.2 | 11.2.11 through 11.2.12 | Upgrade to 11.2.13 or later. |
| 11.2.8 through 11.2.10-h* | Upgrade to 11.2.10-h12 or 11.2.13 or later. | |
| 11.2.5 through 11.2.7-h* | Upgrade to 11.2.7-h18 or 11.2.13 or later. | |
| 11.2.0 through 11.2.4-h* | Upgrade to 11.2.4-h20 or 11.2.13 or later. | |
| PAN-OS 11.1 | 11.1.14 through 11.1.15 | Upgrade to 11.1.16 or later. |
| 11.1.11 through 11.1.13-h* | Upgrade to 11.1.13-h9 or 11.1.16 or later. | |
| 11.1.8 through 11.1.10-h* | Upgrade to 11.1.10-h30 or 11.1.16 or later. | |
| 11.1.7 through 11.1.7-h* | Upgrade to 11.1.7-h8 or 11.1.16 or later. | |
| 11.1.5 through 11.1.6-h* | Upgrade to 11.1.6-h35 or 11.1.16 or later. | |
| 11.1.0 through 11.1.4-h* | Upgrade to 11.1.4-h35 or 11.1.16 or later. | |
| PAN-OS 10.2 | 10.2.17 through 10.2.18-h* | Upgrade to 10.2.18-h8 or later. |
| 10.2.14 through 10.2.16-h* | Upgrade to 10.2.16-h9 or later. | |
| 10.2.11 through 10.2.13-h* | Upgrade to 10.2.13-h23 or later. | |
| 10.2.8 through 10.2.10-h* | Upgrade to 10.2.10-h39 or later. | |
| 10.2.0 through 10.2.7-h* | Upgrade to 10.2.7-h36 or later. | |
| All other older unsupported PAN-OS versions | Upgrade to a supported fixed version. | |
| Prisma Access 11.2 | 11.2.0 through 11.2.7 | Upgrade to 11.2.7-h18 or later.* |
| Prisma Access 10.2 | 10.2.0 through 10.2.10 | Upgrade to 10.2.10-h39 or later.* |
* See the note under Product Status for information regarding Cloud NGFW and Prisma Access upgrades.
Workarounds and Mitigations
No known workarounds exist for this issue.
Acknowledgments
CPEs
cpe:2.3:o:palo_alto_networks:pan-os:12.1.7:h1:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.7:-:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.6:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.5:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.4:h7:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.4:h6:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.4:h5:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.4:h3:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.4:h2:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.4:-:*:*:*:*:*:*
CPE Applicability
- cpe:2.3:o:palo_alto_networks:cloud_ngfw:*:*:*:*:*:AWS:*:* is vulnerable from (including)all
- ORcpe:2.3:o:palo_alto_networks:cloud_ngfw:*:*:*:*:*:Azure:*:* is vulnerable from (including)all
- or
- cpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)12.1.4 and up to (excluding)12.1.4-h8
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)12.1.7 and up to (excluding)12.1.7-h2
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)12.1.0 and up to (excluding)12.1.8
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.2.4 and up to (excluding)11.2.4-h20
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.2.7 and up to (excluding)11.2.7-h18
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.2.10 and up to (excluding)11.2.10-h12
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.2.0 and up to (excluding)11.2.13
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.4 and up to (excluding)11.1.4-h35
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.6 and up to (excluding)11.1.6-h35
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.7 and up to (excluding)11.1.7-h8
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.10 and up to (excluding)11.1.10-h30
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.13 and up to (excluding)11.1.13-h9
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.0 and up to (excluding)11.1.16
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.7 and up to (excluding)10.2.7-h36
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.10 and up to (excluding)10.2.10-h39
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.13 and up to (excluding)10.2.13-h23
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.16 and up to (excluding)10.2.16-h9
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.18 and up to (excluding)10.2.18-h8
- or
- cpe:2.3:o:palo_alto_networks:prisma_access:*:*:*:*:*:*:*:* is vulnerable from (including)11.2.7 and up to (excluding)11.2.7-h18
- ORcpe:2.3:o:palo_alto_networks:prisma_access:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.10 and up to (excluding)10.2.10-h39