PAN-OS User-ID Auth Captive Po Buffer Overflow Root Code Exec
CVE-2026-0300 Published on May 6, 2026
PAN-OS: Unauthenticated user initiated Buffer Overflow Vulnerability in User-ID™ Authentication Portal
A buffer overflow vulnerability in the User-ID Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.
The risk of this issue is greatly reduced if you secure access to the User-ID Authentication Portal per the best practice guidelines https://knowledgebase.paloaltonetworks.com/KCSArticleDetail by restricting access to only trusted internal IP addresses.
Prisma Access, Cloud NGFW and Panorama appliances are not impacted by this vulnerability.
Known Exploited Vulnerability
This Palo Alto Networks PAN-OS Out-of-bounds Write Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Palo Alto Networks PAN-OS contains an out-of-bounds write vulnerability in the User-ID Authentication Portal (aka Captive Portal) service that can allow an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.
The following remediation steps are recommended / required by May 9, 2026: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Until the vendor releases an official fix, the following workaround should be imp
Timeline
Updated with Threat Prevention ID and clarified the Required Configuration section.
Initial publication.
Weakness Type
What is a Memory Corruption Vulnerability?
The software writes data past the end, or before the beginning, of the intended buffer. Typically, this can result in corruption of data, a crash, or code execution. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.
CVE-2026-0300 has been classified to as a Memory Corruption vulnerability or weakness.
Products Associated with CVE-2026-0300
Want to know whenever a new CVE is published for Palo Alto Networks PAN-OS? stack.watch will email you.
Affected Versions
Palo Alto Networks Cloud NGFW:- Version All is unaffected.
- Version 12.1.0 and below 12.1.7 is affected.
- Version 11.2.0 and below 11.2.12 is affected.
- Version 11.1.0 and below 11.1.15 is affected.
- Version 10.2.0 and below 10.2.18-h6 is affected.
- Version All is unaffected.