CVE-2026-0263

Vulnerability

A buffer overflow vulnerability exists in the IKEv2 processing of Palo Alto Networks PAN-OS software. The issue is present in PAN-OS versions 12.1.2, 12.1.3, 12.1.4 (including hotfix releases - and h2, h3), 12.1.5, 12.1.6, 11.2.7 (including hotfix releases h3, h4, h7, h8, h10, h11, h12), 11.2.8, 11.2.9, 11.2.10 (including hotfix releases - and h1, h2, h3, h4, h5), and 11.2.11 [1]. The vulnerable code path is reachable only when IKEv2 VPN tunnels are configured with Post Quantum Cryptography (PQC) ciphers that are not NIST approved [1]. Panorama, Cloud NGFW, and Prisma Access are not affected [1].

Exploitation

An unauthenticated network-based attacker can trigger the buffer overflow by sending specially crafted IKEv2 packets to an affected firewall that has IKEv2 VPN configured with non-NIST-approved PQC ciphers [1]. No authentication is required, and network access to the firewall's IKEv2 interface is sufficient. The advisory does not specify details of the required packet sequence, but the condition depends on the specific IKEv2 configuration involving PQC ciphers [1]. Palo Alto Networks is not aware of any malicious exploitation of this issue publicly [1].

Impact

Successful exploitation allows the attacker to execute arbitrary code with elevated privileges on the firewall, or cause a denial of service (DoS) condition [1]. This represents a complete compromise of confidentiality, integrity, and availability on the affected device, with the attacker gaining high-privilege code execution.

Mitigation

Palo Alto Networks has not released a software fix for this vulnerability as of the publication date. Customers can mitigate the issue by configuring IKEv2 VPN tunnels only with NIST-approved Post Quantum Cryptography (PQC) ciphers, or disabling IKEv2 with non-NIST-approved PQC ciphers entirely [1]. Affected PAN-OS versions are those listed above; organizations should monitor for future patched releases.