PAN-SA-2026-0006 Informational Bulletin: Impact assessment of OSS CVEs in PAN-OS
Informational
Description
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the affected OSS package, PAN-OS does not offer any scenarios required for an attacker to successfully exploit these vulnerabilities and is not impacted.
| CVE | Summary |
|---|---|
| CVE-2023-2176 | PAN-OS is not affected as PAN-OS does not use RDMA. |
| CVE-2023-5633 | PAN-OS is not affected as PAN-OS as the prerequisite conditions needed to be vulnerable do not exists in PAN-OS. |
| CVE-2023-28464 | PAN-OS is not affected as PAN-OS does not use the Bluetooth subsystem. |
| CVE-2024-0646 | PAN-OS is not affected as PAN-OS does not use the function splice() with a ktls socket as the destination. |
| CVE-2024-36971 | PAN-OS is not affected as PAN-OS does not use the vulnerable function __dst_negative_advice(). |
| CVE-2024-36886 | PAN-OS is not affected as PAN-OS does not use the vulnerable function tipc_buf_append(). |
| CVE-2025-57052 | This CVE does not affect PAN-OS as PAN-OS does not have the vulnerable cjson library. |
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| PAN-OS | None | All |
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Solution
The OSS CVEs are fixed in the respective PAN-OS versions.
CPE Applicability
Timeline
Initial Publication