Summary

A critical buffer overflow vulnerability, identified as CVE-2026-0300, has been discovered in the User-ID™ Authentication Portal of Palo Alto Networks PAN-OS software. This vulnerability affects PA-Series and VM-Series firewalls, enabling unauthenticated attackers to execute arbitrary code with root privileges by sending specially crafted packets. The vulnerability is actively exploited, and immediate action is required to mitigate the risk.

Affected Systems and/or Applications

• Affected Products: PA-Series and VM-Series firewalls running PAN-OS.
• Vulnerable Configurations: Systems configured with the User-ID™ Authentication Portal (Captive Portal) service enabled.
• Unaffected Products: Prisma Access, Cloud NGFW, and Panorama appliances.
• Vulnerable PAN-OS Versions:
  • From 12.1.4 up to (excluding) 12.1.4-h5
  • From 12.1.0 up to (excluding) 12.1.7
  • From 11.2.4 up to (excluding) 11.2.4-h17
  • From 11.2.7 up to (excluding) 11.2.7-h13
  • From 11.2.10 up to (excluding) 11.2.10-h6
  • From 11.2.0 up to (excluding) 11.2.12
  • From 11.1.4 up to (excluding) 11.1.4-h33
  • From 11.1.6 up to (excluding) 11.1.6-h32
  • From 11.1.7 up to (excluding) 11.1.7-h6
  • From 11.1.10 up to (excluding) 11.1.10-h25
  • From 11.1.13 up to (excluding) 11.1.13-h5
  • From 11.1.0 up to (excluding) 11.1.15
  • From 10.2.7 up to (excluding) 10.2.7-h34
  • From 10.2.10 up to (excluding) 10.2.10-h36
  • From 10.2.13 up to (excluding) 10.2.13-h21
  • From 10.2.16 up to (excluding) 10.2.16-h7
  • From 10.2.18 up to (excluding) 10.2.18-h6

Technical Details

The vulnerability is a buffer overflow in the User-ID™ Authentication Portal service, which allows unauthenticated attackers to execute arbitrary code with root privileges. The attack vector is network-based, requiring no user interaction or privileges, and is highly automatable. The vulnerability is classified as CWE-787: Out-of-bounds Write and CAPEC-100 Overflow Buffers, with a CVSS score of 9.3, indicating critical severity.

• Vulnerability Type: Buffer Overflow (CWE-787: Out-of-bounds Write)
• Impact: Remote Code Execution (RCE) with root privileges.
• Attack Vector: Network-based delivery of crafted packets.
• Severity: CRITICAL, CVSS 4.0 Score: 9.3
• Exploit Maturity: Actively Exploited
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: None

Mitigation

Immediate mitigation steps include:

1. Restrict Access: Limit User-ID™ Authentication Portal access to trusted internal IP addresses only. This significantly reduces the risk of exploitation.
2. Disable Portal: If the User-ID™ Authentication Portal is not required, disable it to prevent potential exploitation.
3. Patch Deployment: Palo Alto Networks plans to release patches on May 13 and May 28, 2026. It is crucial to apply these updates as soon as they become available.

What the Cyber Fusion Center is Doing

The CFC is monitoring the situation and this advisory will be updated if required.

• Tenable ID: 312282
• Qualys ID: 3734142

References

• Palo Alto Networks Advisory
• SecurityWeek News Coverage
• Vendor's Best Practice Guidelines
• Live Community Article
• CWE-787: Out-of-bounds Write‍
• Tenable CVE-2026-0300