Full Report
Palo Alto Networks has released an advisory warning that a critical buffer overflow vulnerability in its PAN-OS software has been exploited in the wild. The vulnerability, tracked as CVE-2026-0300, has been described as a case of unauthenticated remote code execution. It carries a CVSS score of 9.3 if the User-ID Authentication Portal is configured to enable access from the internet or any
Analysis Summary
# Vulnerability: PAN-OS User-ID Portal Unauthenticated Remote Code Execution
## CVE Details
- **CVE ID:** CVE-2026-0300
- **CVSS Score:** 9.3 (Critical)
- **CWE:** CWE-121 (Stack-based Buffer Overflow) / CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer)
## Affected Systems
- **Products:** Palo Alto Networks PAN-OS software.
- **Versions:** Specific version ranges (typically 10.1, 10.2, 11.0, 11.1, and 11.2) are generally impacted in such advisories; however, users should check the specific vendor advisory for the full list.
- **Configurations:** The vulnerability specifically impacts devices where the **User-ID Authentication Portal** is configured and accessible (particularly from the internet).
## Vulnerability Description
This is a critical **buffer overflow** vulnerability within the PAN-OS User-ID Authentication Portal. The flaw allows an unauthenticated remote attacker to send specially crafted malicious requests to the portal. Because the software fails to properly validate the length of the input before copying it to a fixed-size memory buffer, the attacker can overwrite adjacent memory, leading to arbitrary code execution with root privileges on the device.
## Exploitation
- **Status:** **Exploited in the wild.** Palo Alto Networks has confirmed active exploitation of this flaw.
- **Complexity:** Low (No authentication or user interaction required).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Full access to device data and credentials).
- **Integrity:** High (Attacker can modify system configuration and software).
- **Availability:** High (Attacker can crash the service or seize control of the device).
## Remediation
### Patches
Palo Alto Networks has released security updates to address this vulnerability. Recommended actions include upgrading to:
- PAN-OS 10.1.x (Refer to latest maintenance release)
- PAN-OS 10.2.x (Refer to latest maintenance release)
- PAN-OS 11.x (Refer to latest maintenance release)
*(Users must consult the official Palo Alto Networks Security Advisories portal for the exact fixed version numbers.)*
### Workarounds
- **Disable Internet Access:** Disable internet access to the User-ID Authentication Portal or restrict access to trusted source IP addresses via security policies.
- **Service Disablement:** If the User-ID Authentication Portal is not required for business operations, disable the service entirely until patches can be applied.
## Detection
- **Indicators of Compromise:** Look for unusual crashes of the `authd` or `useridd` processes. Monitor for unexpected outbound traffic from the management interface or firewall dataplane.
- **Detection methods and tools:**
- Review system logs for segmentation faults related to the authentication portal.
- Deploy Threat Prevention signatures (if available) that detect buffer overflow patterns targeting the User-ID portal.
- Utilize Palo Alto Networks' "Expedition" or "Cortex XDR" to identify anomalous behavior on the appliance.
## References
- **Vendor Advisory:** hxxps[://]advisories[.]paloaltonetworks[.]com/
- **NVD Entry:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2026-0300
- **Unit 42 Analysis:** hxxps[://]unit42[.]paloaltonetworks[.]com/