EXECUTIVE SUMMARY:
A denial-of-service flaw tracked as CVE-2026-0229 that can force affected firewalls into a crash /reboot loop and ultimately push them into maintenance mode. This vulnerability exists in the Advanced DNS Security (ADNS) feature of PAN-OS and can be triggered by a specially crafted network packet from an unauthenticated attacker. The issue carries a CVSSv4 base score of 6.6 (Medium), reflecting a significant impact on system availability. An exploitable configuration requires ADNS enabled with a spyware profile that blocks, sinkholes, or alerts traffic. If these conditions are met, repeated malicious packets can repeatedly reboot the device, disrupting normal firewall operations. Affected versions include multiple PAN-OS releases 12.1, 11.2 and Versions 11.1, 10.2, and Prisma Access are completely unaffected.
RECOMMENDATION:
We strongly recommend you update Palo Alto Networks PAN-OS to version 12.1.4 / 11.2.10 or higher.
REFERENCES:
The following reports contain further technical details: