PAN-OS: Denial of Service Vulnerabilities in Network Traffic Parsing

Plan PatchCVSS 8.7CVE-2026-0262May 13, 2026

Palo Alto NetworksTransportation

IT in OT - Palo Alto firewalls are commonly deployed at IT/OT network boundaries

Summary

Multiple denial of service vulnerabilities in Palo Alto Networks PAN-OS software allow an unauthenticated attacker with network access to cause a denial of service condition by sending specially crafted network traffic to a dataplane interface. Panorama and Cloud NGFW are not impacted by these vulnerabilities.

What this means

What could happen

An attacker on the network could send malicious traffic to a Palo Alto Networks firewall to crash or disable it, interrupting all traffic inspection and network connectivity until the device recovers or is rebooted.

Who's at risk

Organizations running Palo Alto Networks PAN-OS firewalls or Prisma Access gateways in transportation and other sectors should assess their versions immediately. This affects network perimeter security devices that inspect and route all production traffic, making denial of service impact critical to operations.

How it could be exploited

An attacker with network access to a dataplane interface of a PAN-OS firewall sends specially crafted network packets that trigger a parsing error in the traffic processing engine, causing the firewall to stop responding. No authentication is required.

Prerequisites

Network access to a dataplane interface of the affected PAN-OS or Prisma Access device
Ability to send specially crafted network traffic to the firewall

Remotely exploitableNo authentication requiredLow complexityAffects network perimeter securityMultiple affected versions across product lines

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (7)

6 with fix1 EOL

ProductAffected VersionsFix Status

PAN-OSBelow 12.1.4-h512.1.4-h5+

PAN-OSBelow 12.1.712.1.7 (ETA: 05/28)+

Prisma AccessBelow 11.2.4-h1711.2.4-h17 (ETA: 05/28)+

Prisma AccessBelow 11.2.7-h1311.2.7-h13+

Prisma AccessBelow 11.2.10-h611.2.10-h6+

Prisma AccessBelow 11.2.1211.2.12 (ETA: 05/28)+

Cloud NGFWNone on Azure/AWS unless you have been contacted by Palo Alto NetworksNo fix (EOL)

Remediation & Mitigation

0/7

Do now

0/1

WORKAROUNDIf patches cannot be applied immediately, enable Threat Prevention Threat IDs 510011, 510015, 510022 (HTTP only), and 510023 (requires Applications and Threats content version 9100-10044 or later and SSL Decryption enabled) to block attacks

Schedule — requires maintenance window

0/6

Patching may require device reboot — plan for process interruption

PAN-OS

HOTFIXUpdate PAN-OS to version 12.1.4-h5 or later (for the 12.1.4 branch)

HOTFIXUpdate PAN-OS to version 12.1.7 or later (for the 12.1 branch, ETA 05/28/2025)

Prisma Access

HOTFIXUpdate Prisma Access to version 11.2.4-h17 or later (for the 11.2.4 branch, ETA 05/28/2025)

HOTFIXUpdate Prisma Access to version 11.2.7-h13 or later (for the 11.2.7 branch)

HOTFIXUpdate Prisma Access to version 11.2.10-h6 or later (for the 11.2.10 branch)

HOTFIXUpdate Prisma Access to version 11.2.12 or later (for the 11.2 branch, ETA 05/28/2025)

CVEs (1)

CVE-2026-0262

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/587f5a0e-669e-40bd-a344-841b18e632da

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.