CVE-2026-0280
Awaiting Analysis Awaiting Analysis - Queue

IPv6 Packet Processing Bypass in Palo Alto PAN-OS

Vulnerability report for CVE-2026-0280, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: Palo Alto Networks, Inc.

Description

An IPv6 packet processing vulnerability in the dataplane of Palo Alto Networks PAN-OSยฎ software enables an unauthenticated attacker to bypass firewall security policy enforcement, allowing network traffic that should be blocked to reach protected services. Cloud NGFW and Panorama are not impacted by this vulnerability.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-10
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
palo_alto_networks pan-os 10.2
palo_alto_networks pan-os 11.1
palo_alto_networks pan-os 11.2
palo_alto_networks pan-os 12.1
palo_alto_networks prisma_access 10.2
palo_alto_networks prisma_access 11.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-131 The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-0280 is a vulnerability in Palo Alto Networks PAN-OS software related to IPv6 packet processing in the dataplane. It allows an unauthenticated attacker to bypass firewall security policies by exploiting a flaw in how IPv6 packets are handled. This means that network traffic that should normally be blocked by the firewall can instead reach protected services.

This vulnerability affects PAN-OS firewalls with IPv6 enabled on one or more interfaces but does not impact Cloud NGFW or Panorama products.

Impact Analysis

This vulnerability can impact you by allowing unauthorized network traffic to bypass firewall security policies and reach protected services. This could potentially expose sensitive systems or data to attackers who should not have access.

Since the attacker does not need to be authenticated, the risk is higher as it can be exploited remotely without credentials.

The vulnerability has a moderate severity score (CVSS 6.3) and Palo Alto Networks recommends upgrading to patched versions or enabling a temporary mitigation setting called "Non SYN TCP Reject" to reduce risk.

Detection Guidance

There is no specific information provided about detection methods or commands to identify this vulnerability on your network or system.

Mitigation Strategies

To mitigate this vulnerability immediately, administrators can enable the "Non SYN TCP Reject" setting as a temporary measure.

The recommended permanent fix is to upgrade to a patched version of PAN-OS or Prisma Access according to the specific upgrade paths provided for each affected release.

Compliance Impact

This vulnerability allows an unauthenticated attacker to bypass firewall security policy enforcement, potentially permitting unauthorized network traffic to reach protected services.

Such a bypass could lead to unauthorized access or data exposure, which may impact compliance with security requirements in common standards and regulations like GDPR and HIPAA that mandate protection of sensitive data and network security controls.

However, the provided information does not explicitly describe the direct impact on compliance frameworks or specific regulatory requirements.

Chat Assistant

Ask questions about this CVE
Hi! Iโ€™m here to help you understand CVE-2026-0280. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart