CVE-2026-0300: Palo Alto Networks PAN-OS Out-of-Bounds Write Vulnerability

Executive Summary

A critical out-of-bounds write vulnerability (CVE-2026-0300) has been disclosed in Palo Alto Networks PAN-OS, affecting the User-ID Authentication Portal (also known as the Captive Portal) service. An unauthenticated remote attacker can send specially crafted packets to exploit this flaw and execute arbitrary code with root privileges on affected PA-Series and VM-Series firewalls. The vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog on 2026-05-06, confirming active exploitation in the wild.

Vulnerability Overview

Affected Products

The Palo Alto Networks PA-Series and VM-Series are enterprise-grade next-generation firewalls deployed globally in government agencies, financial institutions, critical infrastructure, and Fortune 500 environments. Their privileged network position — handling all inbound and outbound traffic — makes exploitation of this vulnerability exceptionally high impact.

Technical Details

Vulnerability Root Cause

The vulnerability resides in the User-ID Authentication Portal (Captive Portal) service, which is responsible for authenticating users attempting to access network resources through the firewall. The flaw is an out-of-bounds write condition: the service fails to properly validate input length before writing data, allowing an attacker to write beyond the intended buffer boundary into adjacent memory regions.

On affected systems, this corrupted memory can contain function pointers or return addresses. By carefully crafting the overflow payload, an attacker can redirect code execution to attacker-controlled shellcode or a ROP chain, ultimately achieving arbitrary code execution with the privileges of the Captive Portal service — which runs as root on PAN-OS.

Attack Chain

1. Attacker identifies a Palo Alto PA-Series or VM-Series firewall
   with the Captive Portal (User-ID Authentication Portal) service
   exposed on a reachable network interface
 
2. Attacker crafts a specially formed packet targeting the Captive
   Portal service with an oversized or malformed field that triggers
   the out-of-bounds write condition
 
3. The PAN-OS Captive Portal service writes attacker-controlled bytes
   beyond the intended buffer boundary into adjacent memory
 
4. Corrupted adjacent memory (function pointer, return address, or
   vtable entry) causes redirected code execution
 
5. Attacker achieves arbitrary code execution with root privileges
   on the firewall
 
6. Attacker can: exfiltrate firewall configurations, credential stores,
   and routing tables; modify firewall rules to allow malicious traffic;
   install persistent backdoors; pivot to connected network segments

Why This Is Particularly Dangerous

Firewalls occupy a uniquely privileged position in network architecture. Compromising a perimeter firewall grants an attacker:

• Full network visibility — the ability to intercept, redirect, or drop all traffic passing through the firewall
• Configuration access — firewall rules, NAT policies, VPN credentials, and security profiles
• Lateral movement — a trusted pivot point into internal network segments that the firewall protects
• Credential interception — the Captive Portal processes user authentication, meaning compromised portal processes may have access to authentication credentials in memory

Impact Assessment

CISA KEV Context

The addition of CVE-2026-0300 to the CISA Known Exploited Vulnerabilities catalog confirms that threat actors are actively exploiting this vulnerability in real-world attacks. CISA KEV listings typically occur when:

1. CISA has received credible reports of active exploitation
2. The affected product is widely deployed in government and critical infrastructure
3. The vulnerability poses a severe risk to federal civilian executive branch (FCEB) agencies

Federal agencies are required to remediate CISA KEV vulnerabilities within the mandated deadline. Given Palo Alto firewalls' prevalence in government and critical infrastructure, the risk to the broader ecosystem is significant.

Recommendations

Immediate Actions

1. Apply vendor patches immediately — Monitor the Palo Alto Networks Security Advisories page for patches addressing CVE-2026-0300 and apply them without delay
2. Restrict Captive Portal exposure — If the Captive Portal / User-ID Authentication Portal is not required, disable it on affected interfaces
3. Limit management plane access — Ensure PAN-OS management interfaces are not exposed to untrusted networks; restrict access to known management hosts
4. Enable Threat Prevention — If a Palo Alto Threat Prevention subscription is active, verify that signatures covering CVE-2026-0300 exploitation attempts are enabled and up to date

Network-Level Mitigations

- Block access to the Captive Portal service (default ports: 80, 443)
  from untrusted external networks at the upstream network layer
 
- Apply ACLs restricting Captive Portal service access to
  authenticated internal subnets only
 
- Monitor firewall management logs for unexpected configuration
  changes or administrative sessions
 
- Enable Panorama (if deployed) for centralized visibility into
  policy changes across all PA/VM-Series devices
 
- Verify no unexpected outbound connections from firewall management
  IPs (potential C2 activity post-exploitation)

Workaround (Pending Patch)

If an official patch is not yet available, Palo Alto Networks typically provides a temporary workaround for critical vulnerabilities. Check the vendor advisory for the latest guidance. Common interim controls include:

1. Disable the User-ID Authentication Portal / Captive Portal
   on all external-facing interfaces
 
2. Apply the recommended Threat Prevention content updates to
   detect and block known exploitation patterns
 
3. Restrict the data plane interface zones that can reach the
   Captive Portal listener
 
4. Enable enhanced application logging to capture anomalous
   traffic to Captive Portal endpoints

Detection Indicators

Example Detection Rule (Suricata)

alert http $EXTERNAL_NET any -> $PANOS_MGMT_NET any (
  msg:"CVE-2026-0300 Palo Alto Captive Portal Exploit Attempt";
  flow:to_server,established;
  http_header;
  content:"User-ID";
  dsize:>4096;
  classtype:attempted-admin;
  sid:9026300;
  rev:1;
)

Post-Remediation Checklist

1. Verify patch application — Confirm PAN-OS version reflects the patched release
2. Rotate all firewall credentials — Admin accounts, service accounts, API keys, and any credentials stored on or processed by the device
3. Audit firewall rule changes — Review all policy modifications since the vulnerability window opened
4. Check for persistence — Inspect scheduled tasks, cron jobs, SSH authorized_keys, and configuration scripts for unauthorized entries
5. Review Panorama logs — Identify any unauthorized management sessions or configuration pushes
6. Notify downstream teams — If compromise is suspected, treat all credentials that may have traversed the firewall as potentially stolen

References

• CISA Known Exploited Vulnerabilities Catalog — CVE-2026-0300
• NIST NVD — CVE-2026-0300
• Palo Alto Networks Security Advisories
• CWE-787: Out-of-Bounds Write