CVE-2026-0300 Palo Alto Networks PAN-OS Buffer Overflow Overview & Takeaways
Palo Alto Networks has disclosed a critical zero-day vulnerability in PAN-OS, tracked as CVE-2026-0300, affecting PA-Series and VM-Series firewalls with the User-ID Authentication Portal (Captive Portal) enabled. The flaw is a pre-authentication buffer overflow that allows an unauthenticated, remote attacker to execute arbitrary code with root privileges on affected devices. Active exploitation has been confirmed in the wild, with attackers targeting portals exposed to untrusted networks or the public internet. Patches are not yet available; mitigations must be applied immediately.
What do I need to know?
- CVE: CVE-2026-41940
- Severity: 9.3 (Critical) — CVSS 4.0 (vendor advisory)
- Attack Vector: Unauthenticated, network-based, and no user interaction required — exploitation is automatable
- Root Cause: Out-of-bounds write / buffer overflow (CWE-787) in the User-ID Authentication Portal (Captive Portal) service; triggered by specially crafted network packets
Products and Systems Affected
Affected Products:
- PA-Series and VM-Series firewalls running PAN-OS with User-ID Authentication Portal enabled.
- Prisma Access, Cloud NGFW, and Panorama are not affected.
Affected Versions and Patch ETAs:
| PAN-OS Branch | Earliest Available Fix | Patch ETA |
| PAN-OS 12.1 | 12.1.4-h5 | May 13, 2026 |
| PAN-OS 11.2 | 11.2.7-h13 or 11.2.10-h6 | May 13, 2026 |
| PAN-OS 11.1 | 11.1.4-h33, 11.1.6-h32, 11.1.10-h25, or 11.1.13-h5 | May 13, 2026 |
| PAN-OS 10.2 | 10.2.10-h36 or 10.2.18-h6 | May 13, 2026 |
What do I need to do?
We recommend the following steps to identify and remediate this vulnerability:
Review and Audit
- Inventory all PA-Series and VM-Series firewalls and confirm the PAN-OS version on each.
- Confirm whether User-ID Authentication Portal is enabled: Device > User Identification > Authentication Portal Settings > Enable Authentication Portal. If the feature is not enabled, exposure to this CVE does not apply.
- Identify any instances where the Authentication Portal is reachable from untrusted network zones or the public internet. These are your highest-priority assets.
- Palo Alto has not published indicators of compromise. Log review is your primary detection mechanism: look for anomalous inbound traffic to the Captive Portal service and unexpected process execution (e.g., spawned child processes) on affected firewalls.
- Treat any internet-exposed instance with the portal enabled as potentially compromised pending mitigation or patch.
Mitigation
Patches are not yet available; mitigations should be implemented immediately until patches can be applied.
- Restrict portal access immediately: Limit User-ID Authentication Portal access to trusted internal IP ranges only. Follow Palo Alto’s best practice guidance. The portal should never be reachable from the internet.
- Disable the portal if not required: Device > User Identification > Authentication Portal Settings > Disable Authentication Portal.
- Enable Threat Prevention Signature (PAN-OS 11.1+): Palo Alto released a detection signature on May 5, 2026, that actively blocks exploitation attempts. This is a meaningful interim control for supported versions.
- If the portal has been internet-exposed and unmitigated, initiate incident response procedures — do not assume the device is clean.
Patch Immediately
- Patches are not yet available. Apply per the version table above as releases become available (first wave May 13, second wave May 28).
- Monitor the Palo Alto Networks Security Advisory for release confirmation before deploying.
NetSPI Product and Services Coverage
NetSPI’s External Attack Surface Management service has released a detection for this vulnerability, which can augment internal efforts to identify vulnerable PAN-OS devices.
- Detection name: Vulnerable Version – Palo Alto PAN-OS Authentication Portal (CVE-2026-0300)
NetSPI’s Penetration Testing Services can also help identify exposure to this vulnerability.
Additional Resources
Explore More Blog Posts
Phishing with Misfortune Cookies
Phishing is about creativity. The less likely your target is to think about a link being potentially malicious, the more likely you are to have success. Read how our creative Social Engineering experts ruined free cookies in the break room.
CVE-2026-9082 Drupal Core PostgreSQL SQL Injection Overview and Takeaways
A critical vulnerability in Drupal Core, tracked as CVE-2026-9082, affects Drupal deployments using a PostgreSQL database. The issue allows unauthenticated attackers to perform arbitrary SQL queries via crafted JSON:API or search queries. Successful exploitation may result in full database compromise or remote code execution.
Emulating & Exploiting UEFI: Unveiling Vulnerabilities in Firmware Security
Explore the intricacies of UEFI security with exploration into emulation, dynamic analysis, and the LogoFail vulnerability. Learn how subtle input manipulations can expose critical firmware weaknesses.