CVE-2026-0300: Palo Alto Networks PAN-OS Out-of-bounds Write Vulnerability
CVE-2026-0300 is a Severity not scored in source feed flaw in Palo Alto Networks PAN-OS. Palo Alto Networks PAN-OS contains an out-of-bounds write vulnerability in the User-ID Authentication Portal (aka Captive Portal) service that can allow an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets. It is listed in the CISA Known Exploited Vulnerabilities catalog (added 2026-05-06), meaning it is being actively exploited. The fix: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Until the vendor releases an official fix, the following workaround should be implemented: - Restrict User-ID Authentication Portal access to only trusted zones. - Disable User-ID Authentication Portal if not required. 5/13/2026: Palo Alto has released a variety of patches. If these are relevant to your environment, please apply the designated patch.
Source: CISA Known Exploited Vulnerabilities Catalog. Data as of 2026-06-13.
Vulnerability details
| Field | Value |
|---|---|
| CVE ID | CVE-2026-0300 |
| Vulnerability | Palo Alto Networks PAN-OS Out-of-bounds Write Vulnerability |
| Vendor / product | Palo Alto Networks — PAN-OS |
| CVSS base score | Not in source feed |
| Severity | — |
| Weakness (CWE) | CWE-787 |
| Added to CISA KEV | 2026-05-06 |
| CISA remediation due | 2026-05-09 |
| Known ransomware use | Unknown |
Source: CISA Known Exploited Vulnerabilities Catalog. Data as of 2026-06-13.
What is the risk?
Palo Alto Networks PAN-OS contains an out-of-bounds write vulnerability in the User-ID Authentication Portal (aka Captive Portal) service that can allow an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.
How to remediate CVE-2026-0300
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Until the vendor releases an official fix, the following workaround should be implemented: - Restrict User-ID Authentication Portal access to only trusted zones. - Disable User-ID Authentication Portal if not required. 5/13/2026: Palo Alto has released a variety of patches. If these are relevant to your environment, please apply the designated patch.
U.S. federal civilian agencies were required to remediate this vulnerability by 2026-05-09 under CISA Binding Operational Directive 22-01. Private organizations should treat it with comparable urgency.
References
Frequently asked questions
What is CVE-2026-0300?
CVE-2026-0300 is a vulnerability in Palo Alto Networks PAN-OS: Palo Alto Networks PAN-OS contains an out-of-bounds write vulnerability in the User-ID Authentication Portal (aka Captive Portal) service that can allow an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.
How severe is CVE-2026-0300?
The CISA KEV catalog does not publish a CVSS base score for this entry. Check the NVD record for the official score. Its presence in the KEV catalog means it is confirmed to be exploited in the wild.
Is CVE-2026-0300 being exploited in the wild?
Yes. It appears in the CISA Known Exploited Vulnerabilities (KEV) catalog, which only lists vulnerabilities with reliable evidence of active exploitation. It was added on 2026-05-06.
How do I fix CVE-2026-0300?
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Until the vendor releases an official fix, the following workaround should be implemented: - Restrict User-ID Authentication Portal access to only trusted zones. - Disable User-ID Authentication Portal if not required. 5/13/2026: Palo Alto has released a variety of patches. If these are relevant to your environment, please apply the designated patch.
Related vulnerabilities
- CVE-2026-0257: Palo Alto Networks PAN-OS Authentication Bypass Vulnerability
- CVE-2009-3459: Adobe Acrobat and Reader Heap-Based Buffer Overflow Vulnerability
- CVE-2025-48595: Android Framework Integer Overflow Vulnerability
- CVE-2026-7473: Arista Extensible Operating System Incomplete Comparison with Missing Factors Vulnerability
Last updated: 2026-06-13