CVE DATABASE / CVE-2026-0300
CVE-2026-0300
Palo Alto Networks PAN-OS Out-of-bounds Write Vulnerability
Confirmed exploited in the wild. Added 2026-05-06.
Federal remediation due 2026-05-09.
Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Until the vendor releases an official fix, the following workaround should be implemented: - Restrict User-ID Authentication Portal access to only trusted zones. - Disable User-ID Authentication Portal if not required. 5/13/2026: Palo Alto has released a variety of patches. If these are relevant to your environment, please apply the designated patch.
Summary
A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.The risk of this issue is greatly reduced if you secure access to the User-ID™ Authentication Portal per the best practice guidelines https://knowledgebase.paloaltonetworks.com/KCSArticleDetail by restricting access to only trusted internal IP addresses.Prisma Access, Cloud NGFW and Panorama appliances are not impacted by this vulnerability.
CVSS 3.1 breakdown
| Base score | 9.8 (CRITICAL) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Attack vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | NONE |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | HIGH |
| Integrity | HIGH |
| Availability | HIGH |
Weakness type (CWE)
Affected products
Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.
Our coverage
- CVE-2026-9082: Critical Drupal SQL Injection Under Attack on Thousands of Sites
- CVE-2026-20182: Cisco Catalyst SD-WAN CVSS 10.0 Auth Bypass Actively Exploited
- YARA-X 1.16.0: Faster Scans, Panic Fixes, and Neovim LSP Support
- xlabs_v1 Mirai Botnet Exploits ADB to Build IoT DDoS-for-Hire Network
- CVE-2026-26956: Critical vm2 Sandbox Escape via WebAssembly Hits 1.3M-Download Node.js Library
References
- https://security.paloaltonetworks.com/CVE-2026-0300
- https://cert-portal.siemens.com/productcert/html/ssa-967325.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-0300
Data: NIST NVD + CISA KEV. NVD last modified 2026-05-12. Always verify against the vendor advisory before acting.