PAN-OS: Denial of Service in Advanced DNS Security Feature

Plan Patch8.7CVE-2026-0229Feb 11, 2026

Palo Alto Networks

IT in OT - Palo Alto firewalls are commonly deployed at IT/OT network boundaries

Summary

A denial-of-service vulnerability in the Advanced DNS Security (ADNS) feature of PAN-OS allows an unauthenticated attacker to send maliciously crafted packets that trigger firewall reboots. Repeated exploitation causes the firewall to enter maintenance mode, blocking all network traffic. The vulnerability affects PAN-OS below version 12.1.4 and Panorama below version 11.2.10. Cloud NGFW and Prisma Access are not affected.

What this means

What could happen

An attacker can send specially crafted packets to crash the firewall's DNS security feature, causing it to reboot repeatedly and enter maintenance mode, disrupting all network traffic passing through it.

Who's at risk

This affects organizations using Palo Alto Networks PAN-OS firewalls with Advanced DNS Security enabled. Firewall appliances protecting network perimeters, data centers, and branch offices are at risk of service disruption.

How it could be exploited

An attacker on a network segment that can reach the firewall's DNS security service sends maliciously crafted DNS packets. The vulnerable ADNS feature processes these packets without proper validation, triggering a reboot. Multiple packets cause repeated reboots and maintenance mode, effectively taking the firewall offline.

Prerequisites

Network access to the firewall's DNS security port or service
Advanced DNS Security (ADNS) feature must be enabled on the PAN-OS firewall

remotely exploitableno authentication requiredlow complexityaffects network availability and uptime

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

PAN-OS FirewallBelow 12.1.412.1.4+

PanoramaBelow 11.2.1011.2.10+

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDDisable the Advanced DNS Security (ADNS) feature if it is not in use

HARDENINGRestrict network access to DNS security ports on the firewall to only trusted DNS clients and internal networks

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

PAN-OS Firewall

HOTFIXUpdate PAN-OS firewall to version 12.1.4 or later

Panorama

HOTFIXUpdate Panorama to version 11.2.10 or later

CVEs (1)

CVE-2026-0229

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6d43aa97-b63f-4f28-8983-fdeb3d04985b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.