Skip to content
Threat Feed
medium advisory

CVE-2026-0243: Prisma SD-WAN Denial-of-Service via Crafted IPv6 Packet

An unauthenticated, adjacent attacker can disrupt Palo Alto Networks Prisma SD-WAN ION devices by sending a specially crafted IPv6 packet, leading to a denial-of-service condition.

A denial-of-service (DoS) vulnerability, identified as CVE-2026-0243, affects Palo Alto Networks Prisma SD-WAN ION devices. An unauthenticated attacker, positioned in a network adjacent to a vulnerable device, can exploit this flaw by transmitting a specially crafted IPv6 packet. Successful exploitation results in a system disruption, impacting availability. The vulnerability affects Prisma SD-WAN ION versions prior to 6.5.3-b15, 6.4.3-b8, and 6.3.6-b10. The device must have IPv6 enabled for the vulnerability to be exploitable. Palo Alto Networks internally discovered this issue.

Attack Chain

  1. Attacker identifies a target Prisma SD-WAN ION device with IPv6 enabled.
  2. Attacker crafts a malicious IPv6 packet specifically designed to trigger the DoS vulnerability.
  3. Attacker transmits the crafted IPv6 packet to the target Prisma SD-WAN ION device from an adjacent network.
  4. The device receives and processes the malicious IPv6 packet.
  5. The processing of the crafted packet triggers excessive resource allocation or an unchecked loop condition.
  6. The device’s system resources (CPU, memory) become exhausted due to the excessive resource allocation.
  7. The device becomes unresponsive and unable to process legitimate network traffic.
  8. The Prisma SD-WAN ION device experiences a denial-of-service condition, disrupting network operations.

Impact

Successful exploitation of CVE-2026-0243 results in a denial-of-service condition on affected Prisma SD-WAN ION devices. This disruption can lead to network outages, impacting business operations that rely on the SD-WAN infrastructure. Palo Alto Networks is not aware of any malicious exploitation of this issue in the wild.

Recommendation

  • Upgrade Prisma SD-WAN ION to version 6.5.3-b15, 6.4.3-b8, or 6.3.6-b10 or later to remediate CVE-2026-0243.
  • Disable IPv6 on Prisma SD-WAN ION devices if it is not required as a workaround.
  • Deploy the Sigma rule “Detect Suspicious IPv6 Traffic to Prisma SD-WAN ION” to identify potentially malicious IPv6 packets targeting Prisma SD-WAN devices.

Detection coverage 2

Detect Suspicious IPv6 Traffic to Prisma SD-WAN ION

medium

Detects suspicious IPv6 traffic patterns potentially related to CVE-2026-0243 targeting Prisma SD-WAN ION devices.

sigma tactics: availability techniques: T1498 sources: network_connection, firewall

Detect High Packet Rate to Prisma SD-WAN ION Device

low

Detects a high rate of packets being sent to a Prisma SD-WAN ION device, which may indicate a denial-of-service attempt.

sigma tactics: availability techniques: T1498 sources: firewall, firewall

Detection queries are available on the platform. Get full rules →