Description
A denial-of-service (DoS) vulnerability in the Advanced DNS Security (ADNS) feature of Palo Alto Networks PAN-OS® software enables an unauthenticated attacker to initiate system reboots using a maliciously crafted packet. Repeated attempts to initiate a reboot causes the firewall to enter maintenance mode.

Cloud NGFW and Prisma Access® are not impacted by this vulnerability.
Published: 2026-02-11
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via forced system reboots
Action: Immediate Patch
AI Analysis

Impact

A denial‑of‑service flaw exists in the Advanced DNS Security (ADNS) feature of Palo Alto Networks PAN‑OS. An unauthenticated attacker can send a specially crafted packet that forces the firewall to reboot. Repeated attempts can lock the device into maintenance mode, rendering it unavailable. The flaw maps to CWE‑754, which concerns the use of remote input to cause a denial of service.

Affected Systems

Products affected are Palo Alto Networks PAN‑OS firmware versions 11.2.0 through 11.2.9 and 12.1.2 through 12.1.3. Cloud NGFW and Prisma Access are not impacted. Users running these firmware ranges should consider the vendor‑recommended updates: for PAN‑OS 12.1, upgrade to 12.1.4 or later; for PAN‑OS 11.2, upgrade to 11.2.10 or later; all older, unsupported PAN‑OS releases should be moved to a supported fixed version.

Risk and Exploitability

The CVSS base score of 6.6 indicates a moderate severity, and the EPSS score, while low (<1%), confirms that the vulnerability is not currently widely exploited. Because the issue requires an unauthenticated network packet, the most likely attack vector would be an insider or adversary gaining network access to the ADNS interface. Once exploited, the attacker can force ongoing reboots and lock the device, causing a denial of service. The vulnerability is not listed in the CISA KEV catalog, implying no publicly confirmed exploits at the time of writing.

Generated by OpenCVE AI on April 17, 2026 at 20:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PAN‑OS 12.1 firmware to 12.1.4 or later if running 12.1.2‑12.1.3.
  • Upgrade PAN‑OS 11.2 firmware to 11.2.10 or later if running 11.2.0‑11.2.9.
  • If using any older or unsupported PAN‑OS release, migrate to the latest supported version that includes the fix.

Generated by OpenCVE AI on April 17, 2026 at 20:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Palo Alto Networks cloud Ngfw
Palo Alto Networks prisma Access
Vendors & Products Palo Alto Networks cloud Ngfw
Palo Alto Networks prisma Access

Wed, 11 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description A denial-of-service (DoS) vulnerability in the Advanced DNS Security (ADNS) feature of Palo Alto Networks PAN-OS® software enables an unauthenticated attacker to initiate system reboots using a maliciously crafted packet. Repeated attempts to initiate a reboot causes the firewall to enter maintenance mode. Cloud NGFW and Prisma Access® are not impacted by this vulnerability.
Title PAN-OS: Denial of Service in Advanced DNS Security Feature
First Time appeared Palo Alto Networks
Palo Alto Networks pan-os
Weaknesses CWE-754
CPEs cpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.0:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.1:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.2:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.3:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.4:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.5:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.6:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.8:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.9:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.2:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.3:*:*:*:*:*:*:*
Vendors & Products Palo Alto Networks
Palo Alto Networks pan-os
References
Metrics cvssV4_0

{'score': 6.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/AU:Y/R:U/V:D/RE:M/U:Amber'}

Subscriptions

Palo Alto Networks Cloud Ngfw Pan-os Prisma Access
cve-icon MITRE

Status: PUBLISHED

Assigner: palo_alto

Published:

Updated: 2026-02-11T18:58:48.926Z

Reserved: 2025-11-03T20:43:50.406Z

Link: CVE-2026-0229

cve-icon Vulnrichment

Updated: 2026-02-11T18:58:42.955Z

cve-icon NVD

Status : Deferred

Published: 2026-02-11T18:16:07.897

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0229

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:30:15Z

Weaknesses