Back to overview

CVE-2026-0280

LOW
1.7
CVSS 4.0
Description
An IPv6 packet processing vulnerability in the dataplane of Palo Alto Networks PAN-OS® software enables an unauthenticated attacker to bypass firewall security policy enforcement, allowing network traffic that should be blocked to reach protected services. Cloud NGFW and Panorama are not impacted by this vulnerability.

Metadata

CVE ID
CVE-2026-0280
State
PUBLISHED
Assigner
palo_alto
Reserved
2025-11-03 20:44 UTC
Published
2026-07-09 19:05 UTC
Last updated
2026-07-09 19:23 UTC
Primary CWE
CWE-131
CWE-131 Incorrect Calculation of Buffer Size
Vendor / Product
Palo Alto Networks / Cloud NGFW
Sources
cve.org  ·  NVD

Severity & Metrics

1.7 LOW CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/AU:Y/V:D/RE:M/U:Amber
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
partial
Affected products (4)
VendorProductPlatformVersions
Palo Alto Networks Cloud NGFW All
Palo Alto Networks PAN-OS 12.1.0 < 12.1.8, 11.2.0 < 11.2.13, 11.1.0 < 11.1.16, 10.2.0 < 10.2.18-h8
Palo Alto Networks Panorama All
Palo Alto Networks Prisma Access 11.2.0 < 11.2.7-h18, 10.2.0 < 10.2.10-h39
Weakness (CWE)
CWESourceDescription
CWE-131 cna CWE-131 Incorrect Calculation of Buffer Size
CVSS scores (1)
ScoreSeverityVersionSourceVector
1.7 LOW 4.0 cna CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/AU:Y/V:D/RE:M/U:Amber
Back to overview