Fixes were made to address the following CVEs:

(VM-Series firewalls on Amazon Web Services (AWS) environments only) Fixed an issue where a newly bootstrapped firewall required a management server restart, relicensing, or license push from Panorama to invoke the device certificate.

Fixed an issue where the firewall did not forward traffic due to memory issues on a forwarding component.

(Panorama managed firewalls only) Fixed an issue where the firewall intermittently failed to maintain active log forwarding streams to Strata Logging Service (SLS) even when duplicate logging and enhanced application logging were enabled.

Fixed an issue where commits caused high dataplane CPU utilization and briefly increased Packet Descriptors, which disrupted traffic.

Fixed an issue where Panorama failed to perform a selective push to a managed device when device tags were added or modified on the policy rules. The selective push failed with the error message Failed to generate selective push configuration. Schema validation failed. Please try a full push.

Fixed an issue on Panorama where a memory leak occurred related to the reportd process due to retaining memory that was temporarily used for report generation instead of releasing the memory for reuse, which resulted in continuous accumulation and memory exhaustion.

(VM-Series firewalls in Microsoft Azure environments only) Fixed an issue where the firewall repeatedly restarted due to high packet rates on the synthetic path in DPDK mode.

Fixed an issue where a memory leak occurred on the reportd process when a WildFire update was initiated while device telemetry data collection was in progress. This resulted in an OOM condition.

Fixed an issue where high SSL traffic depleted flex memory, which prevented the firewall from revalidating SSLVPN client CAs during configuration pushes.

Fixed an issue where the firewall became unresponsive after an upgrade due to the fsck command scanning drive partitions in parallel with the root partition, which caused the process to take an extended amount of time.

Fixed an issue where TFTP file transfers intermittently timed out in active-active HA pairs when the TFTP control channel was processed by one firewall and the data channel was processed by the other. This occurred because the firewall receiving the data channel failed to match the predicted session due to asynchronous processing of HA messages.

Fixed an issue where TFTP file transfers intermittently timed out in active-active HA pairs when the TFTP control channel was processed by one firewall and the data channel was processed by the other. This occurred because the firewall receiving the data channel failed to match the predicted session due to asynchronous processing of HA messages.

Fixed an issue on the firewall where the useridd process continuously increased its memory consumption, which resulted in an OOM condition that caused the firewall to restart.

Fixed an issue where the firewall did not forward logs to SLS when using a proxy server configuration due to an OCSP validation failure.