Critical IKEv2 Buffer Overflow and CAS Bypass Hit Palo Alto PAN-OS

Palo Alto Networks has released a series of important security updates addressing multiple vulnerabilities across its PAN-OS software. The most alarming of these is a buffer overflow in IKEv2 processing that could allow an unauthenticated attacker to seize control of a firewall with elevated privileges.

The headline of this security cycle is CVE-2026-0263 (CVSS 7.2), a high-impact buffer overflow vulnerability. This flaw resides in the Internet Key Exchange (IKEv2) processing of PAN-OS.

An unauthenticated, network-based attacker can exploit this flaw to execute arbitrary code with elevated privileges on the firewall. Beyond full system compromise, the vulnerability can also be used to trigger a Denial of Service (DoS) condition, effectively knocking the security gateway offline.

If you cannot upgrade immediately, ensure your IKEv2 VPN tunnels use only NIST-approved PQC ciphers.

Also rated with a CVSS of 7.2, CVE-2026-0265 allows unauthenticated attackers to bypass security controls when the Cloud Authentication Service (CAS) is enabled and attached to a login interface. The danger is highest if CAS is active on the management interface.

Workarounds:

• Restrict management interface access to trusted internal IP addresses only.
• Temporarily switch the authentication profile from CAS to SAML or RADIUS.
• Enable Threat ID 510008 (requires Threat Prevention subscription and PAN-OS 11.2+).

The third vulnerability, tracked as CVE-2026-0264 (CVSS 7.2), affects the DNS proxy and DNS Server features, potentially leading to RCE on PA-Series hardware or a DoS condition on other platforms. Exposure Requirements: Systems are at risk if the DNS Proxy is enabled with an attached network interface, or if the configured DNS server uses a compromised public IP.

Mitigation:

• Disable the DNS Proxy feature if it is not in use.
• Ensure DNS servers are configured with RFC1918 or trusted public IP addresses.
• Enable Threat ID 510027 for active blocking.

While Cloud NGFW and Prisma Access are generally unaffected by these specific issues, administrators using PA-Series, VM-Series, and Panorama should verify their versions immediately.

PAN-OS Version	Recommended Action
12.1	Upgrade to 12.1.4-h5, 12.1.7, or later.
11.2	Upgrade to 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, or 11.2.12.
11.1	Upgrade to 11.1.4-h33, 11.1.6-h32, 11.1.13-h5, or 11.1.15.
10.2	Upgrade to 10.2.7-h34, 10.2.10-h36, or 10.2.18-h6.

Many of the “Unaffected” versions (like 12.1.7 and 11.2.12) have an estimated arrival (ETA) of May 28, 2026. Ensure your security teams are prepared to deploy these patches as soon as they become available.

For those running older, unsupported versions, the recommendation remains firm: upgrade to a supported, fixed version immediately to maintain a robust security posture.