A heap‑based buffer overflow in the DNS proxy and DNS Server features of Palo Alto Networks PAN‑OS allows an unauthenticated attacker with network access to send specially crafted DNS traffic that can cause a denial of service or, on PA‑Series hardware, potentially execute arbitrary code. The vulnerability is triggered by receiving oversized or malformed DNS data, which overflows a heap buffer and can corrupt memory, leading to code execution or service disruption.

Affected are Palo Alto Networks PAN‑OS platforms running the DNS proxy or DNS Server features, excluding Cloud NGFW and Prisma Access. Vulnerable PAN‑OS releases include versions 10.2.0 through 10.2.18‑h* (with specific patches required for 10.2.17, 10.2.18‑h6 or later), 11.1.x through 11.1.15 (with patches 11.1.15 or later), 11.2.x through 11.2.12 (with patches 11.2.12 or later), and 12.1.x through 12.1.6 (with patches 12.1.7 or later). All older unsupported PAN‑OS versions must be upgraded to a supported fixed version. The hardware families affected are the PA‑Series devices that run the DNS proxy and server modules.

The CVSS score of 6.6 indicates moderate overall risk. The vulnerability requires no authentication but does need a network connection that can reach the DNS proxy or server endpoints. Attackers can achieve a denial of service, which could disrupt network traffic, or, on PA‑Series hardware, gain unauthorized code execution, potentially compromising the device and the network it protects. EPSS information is not available, and the vulnerability is not currently listed in the CISA KEV catalog, suggesting that immediate exploitation may not be widespread yet. Nonetheless, the possibility of remote code execution merits prompt action.