Palo Alto Networks has disclosed a PAN-OS firewall vulnerability that can let remote attackers force repeated reboots, potentially pushing a device into a “reboot loop” that ends in maintenance mode.
Tracked as CVE-2026-0229, the issue sits in the Advanced DNS Security (ADNS) feature. It can be triggered by an unauthenticated attacker using a maliciously crafted network packet.
Palo Alto Networks published and updated the advisory on 2026-02-11, stating that it discovered the flaw internally.
| Field | Data |
|---|---|
| CVE | CVE-2026-0229 |
| Vendor / product | Palo Alto Networks PAN-OS |
| Affected feature | Advanced DNS Security (ADNS) |
| Vulnerability type | Denial of Service (DoS), CWE-754 |
The problem is a Denial of Service condition, an attacker does not need credentials or user interaction, yet can still cause a significant impact on high availability by repeatedly initiating reboots.
If the reboot trigger is repeatedly attempted, the firewall can enter maintenance mode, disrupting traffic inspection and connectivity.
Palo Alto Networks reports no known malicious exploitation at the time of disclosure, and the advisory lists exploit maturity as unreported.
Not every deployment is exposed. The firewall must have ADNS enabled, and it must be using a spyware security profile where actions are set to block, sinkhole, or alert (any non-allow action).
In other words, environments that actively enforce ADNS-based protections are most likely to be affected.
Palo Alto Networks also notes that Cloud NGFW and Prisma Access are not affected, narrowing the risk to certain on-prem and self-managed PAN-OS installations.
Palo Alto Networks rates the severity as medium, with a suggested urgency of moderate, and assigns a CVSS base score of 6.66.
The company recommends upgrading to fixed releases: PAN-OS 12.1.4 or later for the 12.1 train, and PAN-OS 11.2.10 or later for the 11.2 train.
There are no workarounds, and Palo Alto Networks states that a Threat Prevention signature is not possible due to the nature of the bug, so patching is the primary remediation.
Administrators should inventory firewalls with ADNS enabled, confirm impacted versions, schedule upgrades, and monitor for unexpected reboots or repeated restarts that could indicate attempted abuse.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google
