A newly disclosed cybersecurity issue, tracked as CVE-2026-0300, has drawn urgent attention due to its critical severity and active exploitation. The flaw affects PAN-OS, the operating system used in Palo Alto Networks firewalls, and has been categorized as a buffer overflow vulnerability with serious implications for enterprise security environments.
The CVE-2026-0300 PAN-OS vulnerability was officially published on May 6, 2026, and updated the same day after being discovered in real-world production environments. It carries a CVSS score of 9.3, placing it firmly in the “critical” category. The issue stems from a buffer overflow vulnerability in the User-ID Authentication Portal, also known as the Captive Portal service, within PAN-OS.
This flaw allows an unauthenticated attacker to execute arbitrary code with root privileges by sending specially crafted network packets. Because the attack requires no authentication, no user interaction, and can be carried out over the network with low complexity, the exposure risk is considered extremely high.
Technical Details of the Buffer Overflow Vulnerability in PAN-OS
The root cause of CVE-2026-0300 PAN-OS is classified under CWE-787: Out-of-bounds Write, a common but dangerous type of buffer overflow vulnerability. Attackers can exploit this flaw to overwrite memory and potentially take full control of affected systems.
The vulnerability impacts PA-Series and VM-Series firewalls when the User-ID™ Authentication Portal is enabled. Importantly, Prisma Access, Cloud NGFW, and Panorama appliances are not affected.
Security data associated with the vulnerability highlights the following:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Confidentiality, Integrity, Availability Impact: High
Additionally, the vulnerability is automatable and has already reached the “ATTACKED” stage in exploit maturity, indicating that real-world attacks have been observed.
Active Exploitation and Risk Factors
Evidence shows limited exploitation of CVE-2026-0300 PAN-OS, particularly targeting systems where the User-ID Authentication Portal is exposed to untrusted networks or the public internet. Environments that allow external access to this portal face the highest level of risk.
The severity is further highlighted by the CVSS vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H
This translates to a scenario where attackers can remotely compromise systems without needing credentials or user involvement, leveraging the buffer overflow vulnerability to gain root-level access.
Affected and Unaffected Versions
Multiple versions of PAN-OS are impacted by CVE-2026-0300, including:
- PAN-OS 12.1 versions prior to 12.1.4-h5 and 12.1.7
- PAN-OS 11.2 versions prior to 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, and 11.2.12
- PAN-OS 11.1 versions prior to 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, and 11.1.15
- PAN-OS 10.2 versions prior to 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, and 10.2.18-h6
Patches are scheduled with estimated availability dates ranging from May 13 to May 28, 2026. Cloud NGFW and Prisma Access deployments remain unaffected.
Mitigation and Workarounds
While patches are being rolled out, organizations are advised to take immediate steps to reduce exposure to the buffer overflow vulnerability in PAN-OS.
Recommended mitigations include:
- Restricting access to the User-ID Authentication Portal to trusted internal IP addresses only
- Preventing any exposure of the portal to the public internet
- Disabling the User-ID Authentication Portal entirely if it is not required
The risk associated with CVE-2026-0300 PAN-OS drops significantly when these best practices are implemented. Systems that already follow strict network segmentation and access control policies are at a much lower risk.
