Skip to main content
CVE Vulnerability Database

CVE-2026-0264: Palo Alto PAN-OS DNS Proxy RCE Vulnerability

CVE-2026-0264 is a buffer overflow RCE vulnerability in the DNS proxy and DNS Server features of Palo Alto Networks PAN-OS that allows unauthenticated attackers to execute arbitrary code or cause DoS. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-0264 Overview

CVE-2026-0264 is a heap-based buffer overflow vulnerability [CWE-122] in the DNS proxy and DNS Server features of Palo Alto Networks PAN-OS® Software. An unauthenticated attacker with network access can send specially crafted network traffic to trigger the flaw. On all PAN-OS platforms except Cloud NGFW and Prisma Access, exploitation causes a denial-of-service (DoS) condition. On PA-Series hardware, the same flaw can potentially be leveraged for arbitrary code execution. Panorama, Cloud NGFW, and Prisma® Access are not impacted.

Critical Impact

Unauthenticated remote attackers can crash affected firewalls or potentially execute arbitrary code on PA-Series hardware by sending crafted DNS traffic.

Affected Products

  • Palo Alto Networks PAN-OS Software (DNS proxy and DNS Server features enabled)
  • PA-Series hardware firewalls (arbitrary code execution path)
  • All PAN-OS platforms except Cloud NGFW and Prisma Access (DoS path)

Discovery Timeline

  • 2026-05-13 - CVE-2026-0264 published to NVD
  • 2026-05-13 - Last updated in NVD database

Technical Details for CVE-2026-0264

Vulnerability Analysis

The vulnerability resides in the DNS proxy and DNS Server features of PAN-OS. These components parse inbound DNS traffic on behalf of clients behind the firewall. A heap-based buffer overflow [CWE-122] in this parsing logic allows attacker-controlled data to write past the bounds of an allocated buffer. The impact differs by platform. On virtual and container-based PAN-OS deployments, memory corruption produces a process crash and resulting denial of service. On PA-Series hardware appliances, the corruption can potentially be steered toward arbitrary code execution in the context of the affected service. Panorama management appliances, Cloud NGFW, and Prisma Access do not expose the vulnerable code paths and are not affected.

Root Cause

The root cause is improper bounds checking when the DNS proxy or DNS Server feature processes attacker-supplied network input. The defect is classified as a heap-based buffer overflow under [CWE-122]. Insufficient validation of length or structure fields in DNS protocol data allows oversized or malformed data to overwrite adjacent heap memory.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker sends specially crafted DNS network traffic to a PAN-OS device that has the DNS proxy or DNS Server feature enabled. Devices without these features configured are not exposed. Exploitation complexity is elevated, reflecting non-trivial conditions required to reliably achieve memory corruption beyond a crash. EPSS currently lists the probability of exploitation at 0.072%.

No verified proof-of-concept code is publicly available. Refer to the Palo Alto Networks Advisory CVE-2026-0264 for technical details.

Detection Methods for CVE-2026-0264

Indicators of Compromise

  • Unexpected restarts or crash logs from the DNS proxy or DNS Server process on PAN-OS devices.
  • Anomalous inbound DNS packets with malformed or oversized fields directed at firewall data plane interfaces.
  • Gaps in DNS resolution availability for clients relying on the firewall as a DNS proxy.

Detection Strategies

  • Monitor PAN-OS system logs for dataplane process crashes, segmentation faults, or watchdog-triggered restarts tied to DNS components.
  • Inspect DNS traffic destined for firewall interfaces for protocol anomalies, oversized records, and non-standard label lengths.
  • Correlate firewall availability alerts with upstream DNS query patterns to identify probing or exploitation attempts.

Monitoring Recommendations

  • Enable verbose logging on PAN-OS dataplane components and forward logs to a centralized SIEM for correlation.
  • Alert on repeated DNS parse errors or service restarts originating from the same external source IP.
  • Track configuration state for DNS proxy and DNS Server features to maintain an accurate exposure inventory.

How to Mitigate CVE-2026-0264

Immediate Actions Required

  • Identify all PAN-OS devices with the DNS proxy or DNS Server features enabled and prioritize them for patching.
  • Apply the fixed PAN-OS versions listed in the Palo Alto Networks Advisory CVE-2026-0264 as soon as they are available in your maintenance window.
  • Restrict inbound DNS traffic to firewall interfaces using access control lists where the DNS proxy is not required from untrusted networks.

Patch Information

Palo Alto Networks has published vendor guidance and fixed software versions in the Palo Alto Networks Advisory CVE-2026-0264. Administrators should consult the advisory for the specific PAN-OS releases that remediate the heap-based buffer overflow in the DNS proxy and DNS Server features. Panorama, Cloud NGFW, and Prisma Access do not require patching for this issue.

Workarounds

  • Disable the DNS proxy and DNS Server features on PAN-OS devices where they are not operationally required.
  • Limit DNS traffic to firewall interfaces using security policies and zone protection profiles that restrict source networks.
  • Place untrusted DNS resolvers upstream of the firewall so that the PAN-OS DNS components do not directly parse traffic from the internet.
bash
# Example: disable DNS proxy on a PAN-OS device (CLI)
configure
delete network dns-proxy <dns-proxy-name>
commit

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.