A buffer overflow vulnerability in the DNS proxy and DNS Server features of Palo Alto Networks PAN-OS® Software allows an unauthenticated attacker with network access to cause a denial of service (DoS) condition (all PAN-OS platforms except Cloud NGFW and Prisma Access) or potentially execute arbitrary code by sending specially crafted network traffic (PA-Series hardware only). Panorama, Cloud NGFW, and Prisma® Access are not impacted by this vulnerability.
| Version | Base score | Base severity | Vector |
|---|---|---|---|
| 4.0 | 7.2 | HIGH | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:U/AU:Y/R:U/V:C/RE:H/U:Red |
| 4.0 | 6.6 | MEDIUM | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/AU:Y/R:A/V:D/RE:M/U:Amber |
VERSION MINOR VERSION SUGGESTED SOLUTION Cloud NGFW No action needed PAN-OS 12.1 12.1.5 through 12.1.6 Upgrade to 12.1.7 or later. 12.1.2 through 12.1.4-h* Upgrade to 12.1.4-h5 or 12.1.7 or later. PAN-OS 11.2 11.2.11 or later Upgrade to 11.2.12 or later. 11.2.8 through 11.2.10-h* Upgrade to 11.2.10-h6 or 11.2.12 or later. 11.2.5 through 11.2.7-h* Upgrade to 11.2.7-h13 or 11.2.10 or later. 11.2.0 through 11.2.4-h* Upgrade to 11.2.4-h17 or 11.2.7 or later. PAN-OS 11.1 11.1.14 or later Upgrade to 11.1.15 or later. 11.1.11 through 11.1.13-h* Upgrade to 11.1.13-h5 or 11.1.15 or later. 11.1.8 through 11.1.10-h* Upgrade to 11.1.10-h25 or 11.1.15 or later. 11.1.7 through 11.1.7-h* Upgrade to 11.1.7-h6 or 11.1.15 or later. 11.1.5 through 11.1.6-h* Upgrade to 11.1.6-h32 or 11.1.15 or later. 11.1.0 through 11.1.4-h* Upgrade to 11.1.4-h33 or 11.1.15 or later. PAN-OS 10.2 10.2.17 through 10.2.18-h* Upgrade to 10.2.18-h6 or later. 10.2.14 through 10.2.16-h* Upgrade to 10.2.16-h7 or 10.2.18-h6 or later. 10.2.11 through 10.2.13-h* Upgrade to 10.2.13-h21 or 10.2.18-h6 or later. 10.2.8 through 10.2.10-h* Upgrade to 10.2.10-h36 or 10.2.18-h6 or later. 10.2.0 through 10.2.7-h* Upgrade to 10.2.7-h34 or 10.2.18-h6 or later. Prisma Access No action needed. All older unsupported PAN-OS versions Upgrade to a supported fixed version.
This issue is applicable only to PAN-OS firewalls if either of the following conditions are true: 1. DNS Proxy is enabled (Network > DNS Proxy) AND a network interface is attached to DNS Proxy. OR 2. The DNS server (Device > Setup > Services) configured on NGFW is a compromised public untrusted IP address. The risk is higher if the interface is externally exposed to an untrusted network. Further documentation on configuring DNS Proxy can be found here (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFcCAK).
Customers can mitigate the risk of this issue by taking either of the following actions: Action 1: * Disassociate DNS Proxy from externally accessible interfaces in order to reduce your attack surface; AND * Configure DNS server with a RFC1918 or a public trusted IP address. OR Action 2: * Disable the DNS Proxy feature (Network > DNS Proxy) if it is not being used; AND * Configure DNS server with a RFC1918 or a public trusted IP address. Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 510027 from Applications and Threats content version 9100-10044 and later.
Palo Alto Networks is not aware of any malicious exploitation of this issue.
| Event | Date |
|---|---|
| Initial Publication. | 2026-05-13 16:00:00 |
| Hyperlink | Resource |
|---|---|
| https://security.paloaltonetworks.com/CVE-2026-0264 | vendor-advisory |
| Version | Base score | Base severity | Vector |
|---|
| CAPEC ID | Description |
|---|
| Event | Date |
|---|
| Hyperlink | Resource |
|---|