CVE-2026-0264 PAN-OS Heap-Based Buffer Overflow in DNS Proxy Allows RCE

A heap-based buffer overflow vulnerability, CVE-2026-0264, exists in the DNS proxy and DNS Server features of Palo Alto Networks PAN-OS software. An unauthenticated attacker with network access can exploit this vulnerability to cause a denial of service (DoS) condition on PAN-OS platforms (excluding Cloud NGFW and Prisma Access) or potentially achieve arbitrary code execution (ACE) on PA-Series hardware. The vulnerability affects PAN-OS versions 10.2, 11.1, 11.2, and 12.1. Specifically, it impacts devices where DNS Proxy is enabled with a network interface attached or when the DNS server configured on the NGFW uses a compromised public untrusted IP address. The risk is heightened when the interface is exposed to an untrusted network. Palo Alto Networks is not aware of any malicious exploitation of this issue at the time of disclosure.

Attack Chain

1. Attacker identifies a vulnerable PAN-OS firewall with DNS Proxy enabled and exposed to an untrusted network.
2. The attacker crafts a malicious DNS query designed to trigger a heap-based buffer overflow.
3. The attacker sends the specially crafted DNS query to the vulnerable PAN-OS firewall.
4. The PAN-OS firewall’s DNS proxy processes the malicious DNS query.
5. The buffer overflow occurs during the processing of the query in the DNS proxy or DNS server feature.
6. On PA-Series hardware firewalls, the overflow allows the attacker to overwrite memory and inject arbitrary code.
7. The injected code is executed, granting the attacker control over the firewall.
8. Alternatively, on VM-Series, the buffer overflow leads to a denial-of-service condition, disrupting the firewall’s operation.

Impact

Successful exploitation of CVE-2026-0264 can lead to a denial-of-service condition on vulnerable PAN-OS firewalls, impacting network availability and security. On PA-Series hardware firewalls, successful exploitation could allow an unauthenticated attacker to achieve arbitrary code execution, potentially leading to full system compromise and unauthorized access to sensitive data. The vendor is not aware of active exploitation as of the date of disclosure.

Recommendation

• Upgrade PAN-OS to a fixed version as specified in the Palo Alto Networks advisory for CVE-2026-0264: 12.1.7, 12.1.4-h5, 11.2.12, 11.2.10-h6, 11.2.7-h13, 11.2.4-h17, 11.1.15, 11.1.13-h5, 11.1.10-h25, 11.1.7-h6, 11.1.6-h32, 11.1.4-h33, 10.2.18-h6, 10.2.16-h7, 10.2.13-h21, 10.2.10-h36, or 10.2.7-h34.
• As a workaround, disassociate DNS Proxy from externally accessible interfaces or disable the DNS Proxy feature (Network > DNS Proxy), and configure DNS server with a RFC1918 or a public trusted IP address.
• Enable Threat ID 510027 with Applications and Threats content version 9100-10044 or later to block attacks targeting this vulnerability if you have a Threat Prevention subscription.
• Monitor network traffic for suspicious DNS queries, particularly those with unusual length or structure, which may indicate exploitation attempts.