PAN-OS: Heap-Based Buffer Overflow in DNS Proxy and DNS Server Allows Unauthenticated Remote Code Execution
Plan PatchCVSS 9.2CVE-2026-0264May 13, 2026
Palo Alto NetworksTransportation
IT in OT - Palo Alto firewalls are commonly deployed at IT/OT network boundaries
Summary
A heap-based buffer overflow exists in the DNS Proxy and DNS Server features of Palo Alto Networks PAN-OS, Prisma Access, and Cloud NGFW. An unauthenticated attacker with network access can send specially crafted DNS packets to cause a denial of service (crash) on all affected platforms, or achieve remote code execution on PA-Series hardware. The vulnerability is triggered when DNS proxy or server processes oversized input, overflowing internal buffers.
What this means
What could happen
A buffer overflow in PAN-OS DNS proxy/server features allows an unauthenticated attacker on your network to crash the firewall (denial of service) or execute arbitrary code on PA-Series hardware, potentially disrupting all network traffic and critical services the firewall protects.
Who's at risk
Organizations using Palo Alto Networks firewalls (PAN-OS on PA-Series hardware, Prisma Access, or Panorama appliances) that provide DNS services or proxy to their networks. Cloud NGFW on AWS and unpatched Cloud NGFW on Azure are affected. This is critical for any environment where the firewall is the network gateway, including transportation, utilities, and manufacturing.
How it could be exploited
An attacker with network access to the DNS proxy or DNS server ports sends a specially crafted DNS packet to the firewall. The oversized payload overflows a buffer in the DNS processing code, causing either a crash (all platforms) or code execution (PA-Series hardware only), giving the attacker control of the firewall itself.
Prerequisites
- Network access to DNS proxy or DNS server ports (typically UDP/TCP port 53)
- DNS proxy or DNS server feature must be enabled and reachable from the attacker's network segment
remotely exploitableno authentication requiredlow complexityaffects critical network infrastructureno patch available for Cloud NGFW
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (8)
6 with fix2 pending
ProductAffected VersionsFix Status
Cloud NGFWNone on AWSNo fix yet
Cloud NGFWNone on Azure unless you have been contacted by Palo Alto NetworksNo fix yet
PAN-OSBelow 12.1.4-h512.1.4-h5+
PAN-OSBelow 12.1.712.1.7 (ETA: 05/28)+
Prisma AccessBelow 11.2.4-h1711.2.4-h17 (ETA: 05/28)+
Prisma AccessBelow 11.2.7-h1311.2.7-h13+
Prisma AccessBelow 11.2.10-h611.2.10-h6+
Prisma AccessBelow 11.2.1211.2.12 (ETA: 05/28)+
Remediation & Mitigation
0/6
Do now
0/4WORKAROUNDDisable the DNS Proxy feature (Network > DNS Proxy) if it is not required for your operations
HARDENINGRemove DNS Proxy from externally accessible network interfaces; bind it only to internal or trusted interfaces
HARDENINGConfigure DNS server to use only RFC1918 private IP addresses or verify it is configured with a public trusted IP address only
WORKAROUNDEnable Threat ID 510027 in Applications and Threats content version 9100-10044 or later if you have a Threat Prevention subscription
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
PAN-OS
HOTFIXUpdate PAN-OS to version 12.1.4-h5 or later (12.1.x branch) or 12.1.7 or later (12.1.x branch)
Prisma Access
HOTFIXUpdate Prisma Access to version 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, or 11.2.12 or later, depending on your current version
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/b70d45a1-6fb3-40e3-89f3-4fe8b4e7b070Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.