Skip to content
Threat Feed
high advisory

CVE-2026-0263 PAN-OS: Remote Code Execution (RCE) in IKEv2 Processing

A buffer overflow vulnerability in Palo Alto Networks PAN-OS IKEv2 processing (CVE-2026-0263) allows unauthenticated network-based attackers to execute arbitrary code with elevated privileges or cause a denial of service, affecting versions 12.1, 11.2, and 11.1 when configured with Post Quantum Cryptography (PQC).

CVE-2026-0263 is a buffer overflow vulnerability affecting Palo Alto Networks PAN-OS software. This vulnerability resides in the processing of IKEv2 when Post Quantum Cryptography (PQC) is enabled. An unauthenticated, network-based attacker can exploit this flaw to achieve remote code execution (RCE) with elevated privileges on the firewall or trigger a denial-of-service (DoS) condition. The vulnerability impacts PAN-OS versions 12.1 prior to 12.1.4-h5 and 12.1.7, 11.2 prior to 11.2.4-h17, 11.2.7-h13, 11.2.10-h6 and 11.2.12, and 11.1 prior to 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5 and 11.1.15. Exploitation requires the use of IKEv2 VPN tunnels configured with PQC. Panorama, Cloud NGFW, and Prisma Access are not affected by this vulnerability.

Attack Chain

  1. The attacker sends a crafted IKEv2 packet to a vulnerable PAN-OS firewall.
  2. The firewall processes the malicious IKEv2 packet using the vulnerable IKEv2 processing module.
  3. Due to the buffer overflow in the IKEv2 processing logic when PQC is enabled, the attacker’s payload overwrites adjacent memory regions.
  4. The overwritten memory contains critical system code or data.
  5. The attacker gains control of the execution flow by overwriting a function pointer or return address.
  6. The attacker injects and executes arbitrary code with elevated privileges on the firewall.
  7. Alternatively, the attacker causes a denial-of-service (DoS) condition by corrupting system data, leading to a crash.
  8. The attacker achieves remote code execution or causes a denial of service on the affected firewall.

Impact

Successful exploitation of CVE-2026-0263 allows an unauthenticated attacker to execute arbitrary code with elevated privileges on the firewall. This can lead to complete system compromise, including data exfiltration, modification of firewall policies, and disruption of network services. Alternatively, the attacker can cause a denial-of-service (DoS) condition, impacting network availability and business operations.

Recommendation

  • Upgrade PAN-OS to the fixed versions: 12.1.4-h5 or later, 12.1.7 or later, 11.2.4-h17 or later, 11.2.7-h13 or later, 11.2.10-h6 or later, 11.2.12 or later, 11.1.4-h33 or later, 11.1.6-h32 or later, 11.1.7-h6 or later, 11.1.10-h25 or later, 11.1.13-h5 or later, 11.1.15 or later, as detailed in the Palo Alto Networks advisory for CVE-2026-0263.
  • If upgrading is not immediately possible, mitigate the vulnerability by configuring IKEv2 VPN tunnels only with NIST-approved Post Quantum Cryptography (PQC) ciphers, as mentioned in the advisory for CVE-2026-0263.
  • Monitor network traffic for anomalous IKEv2 packets, especially those with unusual sizes or structures, using network intrusion detection systems (NIDS).

Detection coverage 2

Detect CVE-2026-0263 Exploitation Attempt - Malformed IKEv2 Packet

medium

Detects CVE-2026-0263 exploitation attempts by identifying malformed IKEv2 packets indicative of a buffer overflow attempt.

sigma tactics: initial_access techniques: T1190 sources: network_connection, windows

Detect CVE-2026-0263 Exploitation - PAN-OS Crash related to IKEv2 processing

high

Detects potential exploitation of CVE-2026-0263 by monitoring for PAN-OS system logs indicating a crash or restart event related to IKEv2 processing, which could signal a denial-of-service condition.

sigma tactics: impact techniques: T1499.004 sources: firewall

Detection queries are available on the platform. Get full rules →