Skip to content
Threat Feed
medium advisory

CVE-2026-0262 PAN-OS: Denial of Service Vulnerabilities in Network Traffic Parsing

Unauthenticated attackers can cause a denial of service (DoS) condition on Palo Alto Networks PAN-OS firewalls by sending specially crafted network traffic, as described in CVE-2026-0262.

Multiple denial of service vulnerabilities exist in Palo Alto Networks PAN-OS software. An unauthenticated attacker with network access can exploit these vulnerabilities (CVE-2026-0262) to cause a denial-of-service (DoS) condition. The vulnerabilities are triggered by sending specially crafted network traffic to the affected PAN-OS device. Panorama and Cloud NGFW are not affected. These vulnerabilities impact multiple versions of PAN-OS, including 10.2, 11.1, 11.2, and 12.1. Palo Alto Networks internally discovered these issues.

Attack Chain

  1. An unauthenticated attacker identifies a vulnerable PAN-OS firewall exposed to network traffic.
  2. The attacker crafts malicious network traffic specifically designed to exploit the parsing vulnerabilities.
  3. The attacker sends the crafted network traffic to the vulnerable PAN-OS firewall.
  4. The PAN-OS device attempts to parse the malicious traffic.
  5. Due to improper checks for unusual or exceptional conditions (CWE-754) during parsing, the device’s resources are consumed.
  6. The device experiences a denial-of-service condition, impacting network availability.

Impact

Successful exploitation of CVE-2026-0262 can lead to a denial-of-service (DoS) condition on affected Palo Alto Networks PAN-OS firewalls. This can disrupt network services, impacting business operations and potentially leading to financial losses. While Palo Alto Networks is unaware of any malicious exploitation, the CVSS score indicates high availability impact if exploited.

Recommendation

  • Upgrade PAN-OS to the fixed versions specified in the Palo Alto Networks advisory to remediate CVE-2026-0262.
  • Customers with a Threat Prevention subscription can enable Threat IDs 510011, 510015, 510022 (HTTP traffic only), and 510023 to block attacks targeting CVE-2026-0262. Note that SSL Decryption is required for these Threat IDs.
  • Monitor network traffic for patterns indicative of denial-of-service attacks, focusing on potentially malformed packets.
  • Deploy the Sigma rule Detect CVE-2026-0262 Possible DoS Attack to identify potential exploitation attempts based on suspicious network connections to PAN-OS devices.

Detection coverage 2

Detect CVE-2026-0262 Possible DoS Attack

medium

Detects CVE-2026-0262 exploitation — monitors for unusual network connections to PAN-OS devices that may indicate a denial of service attack.

sigma tactics: availability techniques: T1498, T1498.001 sources: network_connection, windows

Detect PAN-OS Network Traffic Parsing DoS via HTTP (CVE-2026-0262)

medium

Detects CVE-2026-0262 exploitation — monitors for HTTP traffic potentially crafted to trigger the PAN-OS network traffic parsing DoS vulnerability based on suspicious URI characteristics.

sigma tactics: cve-2026-0262, denial_of_service techniques: T1498 sources: webserver

Detection queries are available on the platform. Get full rules →