CVE-2026-0227 PAN-OS: Firewall Denial of Service (DoS) in GlobalProtect Gateway and Portal
Description
A vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to cause a denial of service (DoS) to the firewall. Repeated attempts to trigger this issue results in the firewall entering into maintenance mode.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | None | All |
| PAN-OS 12.1 | < 12.1.3-h3 < 12.1.4 | >= 12.1.3-h3 >= 12.1.4 |
| PAN-OS 11.2 | < 11.2.4-h15 < 11.2.7-h8 < 11.2.10-h2 | >= 11.2.4-h15 (ETA: 1/14/2026) >= 11.2.7-h8 >= 11.2.10-h2 |
| PAN-OS 11.1 | < 11.1.4-h27 < 11.1.6-h23 < 11.1.10-h9 < 11.1.13 | >= 11.1.4-h27 >= 11.1.6-h23 >= 11.1.10-h9 >= 11.1.13 |
| PAN-OS 10.2 | < 10.2.7-h32 < 10.2.10-h30 < 10.2.13-h18 < 10.2.16-h6 < 10.2.18-h1 | >= 10.2.7-h32 >= 10.2.10-h30 >= 10.2.13-h18 >= 10.2.16-h6 >= 10.2.18-h1 |
| PAN-OS 10.1 | < 10.1.14-h20 | >= 10.1.14-h20 |
| Prisma Access 11.2 | < 11.2.7-h8* | >= 11.2.7-h8* |
| Prisma Access 10.2 | < 10.2.10-h29* | >= 10.2.10-h29* |
* We have successfully completed the Prisma Access upgrade for most of the customers, with the exception of few in progress due to conflicting upgrade schedules. Remaining customers are being promptly scheduled for an upgrade through our standard upgrade process.
Required Configuration for Exposure
This issue is applicable only to PAN-OS NGFW or Prisma Access configurations with an enabled GlobalProtect gateway or portal.
Severity: HIGH, Suggested Urgency: MODERATE
CVSS-BT: 7.7 / CVSS-B: 8.7 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/AU:Y/R:U/V:D/RE:M/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type and Impact
CWE-754 Improper Check for Unusual or Exceptional Conditions
CAPEC-210 Abuse Existing Functionality
Solution
| Version | Minor Version | Suggested Solution |
|---|---|---|
| Cloud NGFW All | No action needed. | |
| PAN-OS 12.1 | 12.1.0 through 12.1.3 | Upgrade to 12.1.4 or later. |
| PAN-OS 11.2 | 11.2.8 through 11.2.10 | Upgrade to 11.2.10-h2 or later. |
| 11.2.5 through 11.2.7 | Upgrade to 11.2.7-h8 or 11.2.10-h2 or later. | |
| 11.2.0 through 11.2.4 | Upgrade to 11.2.4-h15 or 11.2.10-h2 or later. | |
| PAN-OS 11.1 | 11.1.11 through 11.1.12 | Upgrade to 11.1.13 or later. |
| 11.1.7 through 11.1.10 | Upgrade to 11.1.10-h9 or 11.1.13 later. | |
| 11.1.5 through 11.1.6 | Upgrade to 11.1.6-h23 or 11.1.13 or later. | |
| 11.1.0 through 11.1.4 | Upgrade to 11.1.4-h27 or 11.1.13 or later. | |
| PAN-OS 10.2 | 10.2.17 through 10.2.18 | Upgrade to 10.2.18-h1 or later. |
| 10.2.14 through 10.2.16 | Upgrade to 10.2.16-h6 or 10.2.18-h1 or later. | |
| 10.2.11 through 10.2.13 | Upgrade to 10.2.13-h18 or 10.2.18-h1 or later. | |
| 10.2.8 through 10.2.10 | Upgrade to 10.2.10-h30 or 10.2.18-h1 or later. | |
| 10.2.0 through 10.2.7 | Upgrade to 10.2.7-h32 or 10.2.18-h1 or later. | |
| All older unsupported PAN-OS versions | Upgrade to a supported fixed version. | |
| Prisma Access 11.2 | 11.2 through | Upgrade to 11.2.7-h8 or later.* |
| Prisma Access 10.2 | 10.2 through | Upgrade to 10.2.10-h29 or later.* |
* See the note under Product Status for information regarding Prisma Access upgrades.
Workarounds and Mitigations
No known workarounds exist for this issue.
Acknowledgments
CPEs
cpe:2.3:o:palo_alto_networks:pan-os:12.1.3:h1:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.3:-:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:12.1.2:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.10:h1:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.10:-:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.9:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.8:*:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:h7:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:h4:*:*:*:*:*:*
cpe:2.3:o:palo_alto_networks:pan-os:11.2.7:h3:*:*:*:*:*:*
CPE Applicability
- cpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)12.1.0 and up to (excluding)12.1.4
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)12.1.3 and up to (excluding)12.1.3-h3
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.2.8 and up to (excluding)11.2.10-h2
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.2.5 and up to (excluding)11.2.7-h8
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.2.0 and up to (excluding)11.2.4-h15
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.0 and up to (excluding)11.1.13
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.10 and up to (excluding)11.1.10-h9
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.6 and up to (excluding)11.1.6-h23
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.4 and up to (excluding)11.1.4-h27
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.17 and up to (excluding)10.2.18-h1
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.14 and up to (excluding)10.2.16-h6
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.11 and up to (excluding)10.2.13-h18
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.8 and up to (excluding)10.2.10-h30
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.0 and up to (excluding)10.2.7-h32
- ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)10.1.0 and up to (excluding)10.1.14-h20
- or
- cpe:2.3:o:palo_alto_networks:prisma_access:*:*:*:*:*:*:*:* is vulnerable from (including)11.2.7 and up to (excluding)11.2.7-h8
- ORcpe:2.3:o:palo_alto_networks:prisma_access:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.10 and up to (excluding)10.2.10-h29