CVE-2026-0300

Summary

A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.

The risk of this issue is greatly reduced if you secure access to the User-ID™ Authentication Portal per the best practice guidelines https://knowledgebase.paloaltonetworks.com/KCSArticleDetail by restricting access to only trusted internal IP addresses.

Prisma Access, Cloud NGFW and Panorama appliances are not impacted by this vulnerability.

Affected Software

VendorProductVersion RangeStatus
Palo Alto NetworksCloud NGFWAllunaffected
Palo Alto NetworksPAN-OS12.1.0 < 12.1.7affected
Palo Alto NetworksPAN-OS11.2.0 < 11.2.12affected
Palo Alto NetworksPAN-OS11.1.0 < 11.1.15affected
Palo Alto NetworksPAN-OS10.2.0 < 10.2.18-h6affected
Palo Alto NetworksPrisma AccessAllunaffected

Weaknesses

  • CWE-787: CWE-787: Out-of-bounds Write

Workarounds

Customers can mitigate the risk of this issue by taking either of the following actions:

Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 510019 from Applications and Threats content version 9097-10022. Decoder capabilities necessitate PAN-OS 11.1 or a later version for Threat ID support.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: active
    • Automatable: yes
    • Technical Impact: total

Additional References

Additional References

References