
PALO Alto Networks has published advisories for thirteen vulnerabilities, including a critical buffer overflow tracked as CVE-2026-0288 in its PAN‑OS software. The flaw could allow an unauthenticated attacker to execute arbitrary code on affected firewalls. Versions PAN‑OS 12.1, 11.2, 11.1 and 10.2 are impacted, with fixed builds such as 12.1.8, 11.2.9 and 10.2.8 now available.
CVE-2026-0288 carries a CVSS score of 7.2 and is classified as a high‑severity buffer overflow in the PAN‑OS management plane according to SecurityOnline. An attacker who can send specially crafted packets to an exposed device may trigger the overflow and execute arbitrary code without needing credentials. The vulnerability stems from insufficient bounds checking when processing certain network packets.
The overflow occurs in a packet handling routine where input length is not properly validated, allowing data to overwrite adjacent memory. Because the management interface is often reachable from the internet, the flaw can be exploited without any authentication step. To date, Palo Alto has not observed active exploitation of this issue in the wild.
This advisory is one of thirteen released today as reported by SecurityWeek, which also contains seven medium‑severity flaws that can lead to denial of service and five low‑severity issues involving privilege escalation or information disclosure. Palo Alto says the rise in discovered bugs is partly due to its internal use of artificial intelligence for code analysis. No threat actor has been tied to CVE-2026-0288 so far.
Defenders should start by confirming the exact PAN‑OS release running on each firewall and then apply the corresponding update through the device web interface or via Panorama for centralised management. Limiting access to the management interface to known IP ranges and enabling zone‑based protection profiles can reduce the chance of a successful attack while the patch is being rolled out.
It is also wise to inspect system logs for abnormal packet drops or unexpected restarts that could signal an attempted overflow, and to consider adding an intrusion‑detection signature specific to CVE-2026-0288 if available. Testing the update in a lab or staged group before a full deployment helps avoid unintended service interruptions.