CVE-2026-0300
Palo Alto Networks PAN-OS Out-of-bounds Write Vulnerability
A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets. The risk of this issue is greatly reduced if you secure access to the User-ID™ Authentication Portal per the best practice guidelines https://knowledgebase.paloaltonetworks.com/KCSArticleDetail by restricting access to only trusted internal IP addresses. Prisma Access, Cloud NGFW and Panorama appliances are not impacted by this vulnerability.
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Until the vendor releases an official fix, the following workaround should be implemented: - Restrict User-ID Authentication Portal access to only trusted zones. - Disable User-ID Authentication Portal if not required. 5/13/2026: Palo Alto has released a variety of patches. If these are relevant to your environment, please apply the designated patch. Deadline for federal agencies: 2026-05-09.
14 articles across 7 outlets · first covered May 6, 2026 · latest May 19, 2026
Tracked incidents
Associated threat actors
Coverage timeline
-
Siemens RUGGEDCOM APE1808 Deviceswww.cisa.gov · May 19, 2026
-
Palo Alto fixes critical PAN OS bug after EarthWorm exploitsthehackernews.com · May 14, 2026
-
Ivanti EPMM and PAN OS flaws hit as patches roll out mid Maythehackernews.com · May 11, 2026
-
Nation-state actors exploit Palo Alto PAN-OS zero-day for weekssecurityaffairs.com · May 7, 2026
-
Palo Alto Zero-Day Exploited in Campaign Bearing Hallmarks of Chinese State Hackingwww.securityweek.com · May 7, 2026
-
Palo Alto Networks Warns of Exploits in CVE-2026-0300 PANOSthehackernews.com · May 7, 2026
-
CISA adds Palo Alto PAN OS flaw CVE-2026-0300 to KEV catalogsecurityaffairs.com · May 7, 2026
-
Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Executionunit42.paloaltonetworks.com · May 7, 2026
-
CVE-2026-0300 flaw in Palo Alto firewalls grants root accesswww.cisa.gov · May 6, 2026
-
CISA flags exploit in Palo Alto firewall flaw CVE-2026-0300cisa.gov · May 6, 2026
-
Critical Buffer Overflow in Palo Alto Networks PAN-OS User-ID Authentication Portal (CVE-2026-0300)www.rapid7.com · May 6, 2026
-
Critical PAN-OS flaw CVE-2026-0300 under attack, patch due Maysecurityaffairs.com · May 6, 2026
-
Critical PANOS flaw lets hackers run code via exposed portalthehackernews.com · May 6, 2026
-
Palo Alto Networks to Patch Zero-Day Exploited to Hack Firewallswww.securityweek.com · May 6, 2026