CVE-2026-0264 PAN-OS Heap-Based Buffer Overflow in DNS Proxy Allows RCE

hello@craftedsignal.io — Wed, 13 May 2026 16:08:13 +0000

A heap-based buffer overflow vulnerability, CVE-2026-0264, exists in the DNS proxy and DNS Server features of Palo Alto Networks PAN-OS software. An unauthenticated attacker with network access can exploit this vulnerability to cause a denial of service (DoS) condition on PAN-OS platforms (excluding Cloud NGFW and Prisma Access) or potentially achieve arbitrary code execution (ACE) on PA-Series hardware. The vulnerability affects PAN-OS versions 10.2, 11.1, 11.2, and 12.1. Specifically, it impacts devices where DNS Proxy is enabled with a network interface attached or when the DNS server configured on the NGFW uses a compromised public untrusted IP address. The risk is heightened when the interface is exposed to an untrusted network. Palo Alto Networks is not aware of any malicious exploitation of this issue at the time of disclosure.

Attack Chain

Attacker identifies a vulnerable PAN-OS firewall with DNS Proxy enabled and exposed to an untrusted network.
The attacker crafts a malicious DNS query designed to trigger a heap-based buffer overflow.
The attacker sends the specially crafted DNS query to the vulnerable PAN-OS firewall.
The PAN-OS firewall’s DNS proxy processes the malicious DNS query.
The buffer overflow occurs during the processing of the query in the DNS proxy or DNS server feature.
On PA-Series hardware firewalls, the overflow allows the attacker to overwrite memory and inject arbitrary code.
The injected code is executed, granting the attacker control over the firewall.
Alternatively, on VM-Series, the buffer overflow leads to a denial-of-service condition, disrupting the firewall’s operation.

Impact

Successful exploitation of CVE-2026-0264 can lead to a denial-of-service condition on vulnerable PAN-OS firewalls, impacting network availability and security. On PA-Series hardware firewalls, successful exploitation could allow an unauthenticated attacker to achieve arbitrary code execution, potentially leading to full system compromise and unauthorized access to sensitive data. The vendor is not aware of active exploitation as of the date of disclosure.

Recommendation

Upgrade PAN-OS to a fixed version as specified in the Palo Alto Networks advisory for CVE-2026-0264: 12.1.7, 12.1.4-h5, 11.2.12, 11.2.10-h6, 11.2.7-h13, 11.2.4-h17, 11.1.15, 11.1.13-h5, 11.1.10-h25, 11.1.7-h6, 11.1.6-h32, 11.1.4-h33, 10.2.18-h6, 10.2.16-h7, 10.2.13-h21, 10.2.10-h36, or 10.2.7-h34.
As a workaround, disassociate DNS Proxy from externally accessible interfaces or disable the DNS Proxy feature (Network > DNS Proxy), and configure DNS server with a RFC1918 or a public trusted IP address.
Enable Threat ID 510027 with Applications and Threats content version 9100-10044 or later to block attacks targeting this vulnerability if you have a Threat Prevention subscription.
Monitor network traffic for suspicious DNS queries, particularly those with unusual length or structure, which may indicate exploitation attempts.

CVE-2026-0256 PAN-OS Stored Cross-Site Scripting (XSS) Vulnerability

hello@craftedsignal.io — Wed, 13 May 2026 16:06:36 +0000

CVE-2026-0256 is a stored cross-site scripting (XSS) vulnerability affecting Palo Alto Networks PAN-OS software. This vulnerability resides in the web interface and enables a malicious, authenticated administrator to inject and store a JavaScript payload. The injected payload can then be executed in the context of other administrators who interact with the affected part of the web interface. This issue impacts PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series). Cloud NGFW and Prisma Access are not affected. Palo Alto Networks is not aware of any malicious exploitation of this issue.

Attack Chain

An attacker gains high-privileged administrative access to a vulnerable PAN-OS device.
The attacker crafts a malicious JavaScript payload.
The attacker authenticates to the PAN-OS web interface.
The attacker navigates to a vulnerable section of the web interface that allows storing data.
The attacker injects the crafted JavaScript payload into a field that is saved to the PAN-OS configuration.
Another administrator authenticates to the PAN-OS web interface.
The second administrator navigates to the section of the web interface where the malicious JavaScript payload is stored.
The stored JavaScript payload executes within the second administrator’s browser session, potentially leading to session hijacking, credential theft, or other malicious actions.

Impact

Successful exploitation of this stored XSS vulnerability (CVE-2026-0256) allows a malicious administrator to execute arbitrary JavaScript code within the browser of other administrators. This could lead to the compromise of administrative accounts, unauthorized configuration changes, or the exfiltration of sensitive information. While the vulnerability requires high privileges to inject the payload, the impact on other administrators could be significant.

Recommendation

Upgrade PAN-OS to a fixed version as specified in the Palo Alto Networks advisory to remediate CVE-2026-0256. Refer to the “Solution” section of the advisory for specific version recommendations.
Customers with a Threat Prevention subscription can enable Threat ID 510020 (from Applications and Threats content version 9100-10044 and later) to block attacks for this vulnerability, as mentioned in the “Workarounds and Mitigations” section.
Implement the mitigations described in the advisory, such as routing incoming traffic for the MGT port through a DP port, replacing the Certificate for Inbound Traffic Management, decrypting inbound traffic to the management interface, and enabling threat prevention on the inbound traffic to management services.

PAN-OS 10.2 — CraftedSignal Threat Feed

CVE-2026-0264 PAN-OS Heap-Based Buffer Overflow in DNS Proxy Allows RCE

Attack Chain

Impact

Recommendation

CVE-2026-0256 PAN-OS Stored Cross-Site Scripting (XSS) Vulnerability

Attack Chain

Impact

Recommendation