Out-of-bounds write in Palo Alto PAN-OS (CVE-2026-0300) — unauthenticated root code execution on the firewall
PAN-OS, the OS for Palo Alto Networks firewalls, has an out-of-bounds write flaw in the User-ID Authentication Portal (Captive Portal). A remote, unauthenticated attacker can execute code as root on PA-Series and VM-Series firewalls via crafted packets. CISA listed it as known-exploited (KEV) (CVSS 9.8 Critical, per NVD).
Key facts
- CVE IDCVE-2026-0300
- CVSS base score9.8 CRITICAL
- CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Affected (vendor / product)Palo Alto Networks PAN-OS
- CWECWE-787
- ExploitationListed in CISA KEV (exploitation confirmed)
- Remediation due2026-05-09 (U.S. federal civilian agencies, BOD 22-01)
Key points
- Out-of-bounds write in the User-ID Authentication Portal (Captive Portal) of PAN-OS
- A remote, unauthenticated attacker can run code as root on PA/VM-Series via crafted packets
- Listed in CISA KEV = exploitation confirmed; NVD base score near-maximum 9.8 Critical
- Taking over the firewall itself turns the linchpin of defense into the attacker's base
- Response: apply Palo Alto's fix; review Captive Portal exposure and logs (federal deadline May 9, 2026)
CVE-2026-0300 is an out-of-bounds write vulnerability in the User-ID Authentication Portal (aka Captive Portal) of Palo Alto Networks PAN-OS. PAN-OS is the OS that runs Palo Alto's boundary firewalls (PA-Series and VM-Series).
Per CISA, an unauthenticated attacker can achieve root-privileged remote code execution (RCE) on the firewall by sending specially crafted packets. An out-of-bounds write is a flaw where a program writes beyond its allocated memory region, which can lead to arbitrary code execution through memory corruption. It is worse that the target is an "authentication portal" — an entry point readily reachable from outside.
This class of device is dangerous because (1) it sits at the internet/internal boundary and is reachable from outside, and (2) once the firewall itself is taken over, the linchpin of defense becomes the attacker's base. The flaw needs no authentication and has low complexity, with severe impact to confidentiality, integrity, and availability.
Key response: check Palo Alto Networks' official security advisory, identify affected PAN-OS versions and whether the User-ID Authentication Portal (Captive Portal) is enabled/exposed, and apply the fix or mitigation. CISA required federal civilian agencies to remediate by May 9, 2026 (a practical benchmark for others); as a perimeter device, act as early as possible and review access logs.
Why it matters
The firewall guarding the boundary can itself be taken to root without authentication. Organizations using Palo Alto at the boundary should inventory Captive Portal exposure, patch immediately, and review access logs. It reflects the reality of attacks aimed at the defense devices themselves.
FAQ
What is PAN-OS?
What is an out-of-bounds write?
What should I do?
Sources (primary)
This article is an independent organization based on the U.S. official data below. Always verify the exact, latest details and applicability with the official and vendor sources.
- CISA KEV Catalog (known exploited list)
- NVD (CVE details / CVSS)
- Vendor / reference advisory
- This product uses data from the NVD API but is not endorsed or certified by the NVD. KEV data is CC0 (public domain).