Palo Alto Networks PAN-OS, Buffer Overflow Vulnerability, CVE-2026-0300 (Critical) -DC-Jul2026-899

Listen to this Post

How CVE-2026-0300 Works

CVE-2026-0300 is a critical unauthenticated buffer overflow vulnerability residing in the User-ID Authentication Portal (also known as the Captive Portal) service of Palo Alto Networks PAN-OS software. The flaw stems from insufficient boundary checks when the service processes specially crafted network packets, allowing a remote attacker to write data beyond the allocated memory buffer.
The User-ID Authentication Portal is a feature that intercepts and authenticates users before granting network access. When enabled and exposed to untrusted networks, the portal listens for incoming requests. An unauthenticated attacker can send a maliciously crafted packet to this service, triggering a stack-based buffer overflow. This overflow corrupts memory and overwrites critical execution structures, enabling the attacker to execute arbitrary code with root-level privileges on the affected firewall.
Exploitation does not require any prior authentication or user interaction. The attack vector is network-based, and the vulnerability can be exploited remotely if the management interface profile with the response page is attached to any L3 interface in a zone reachable by untrusted traffic. Successful exploitation grants the attacker full control over the device, potentially leading to complete system compromise. Palo Alto Networks has confirmed that this vulnerability is being actively exploited in the wild.
The vulnerability affects PA-Series and VM-Series firewalls configured with the User-ID Authentication Portal feature. Panorama and Cloud NGFW are not impacted by this issue.

DailyCVE Form:

Platform: PAN-OS
Version: 10.2.x < fixed
Vulnerability: Buffer Overflow
Severity: Critical (9.3 CVSSv4)
date: 2026-05-06

Prediction: Patch already available

What Undercode Say:

Analytics from active exploitation campaigns indicate attackers are primarily targeting internet-exposed management interfaces. The following commands can help assess exposure:

Check if User-ID Authentication Portal is enabled
curl -k https://<firewall-ip>/php/login.php
Verify PAN-OS version
ssh admin@<firewall-ip> "show system info | match version"
Check for suspicious connections to port 443/tcp
netstat -an | grep :443 | grep ESTABLISHED

Exploit:

Proof-of-concept exploits have been publicly released. The attack involves sending a specially crafted HTTP/HTTPS request to the User-ID Authentication Portal service. The buffer overflow is triggered during parsing of specific headers or parameters, leading to memory corruption and arbitrary code execution as root. Attackers are leveraging this vulnerability to deploy backdoors, establish persistent access, and move laterally within compromised networks.

Protection:

  • Immediately upgrade PAN-OS to the following fixed versions:
  • 10.2.7-h34 or later
  • 10.2.10-h36 or later
  • 10.2.13-h21 or later
  • 10.2.16-h7 or later
  • 10.2.18-h6 or later
  • Restrict management access to trusted internal IP addresses only.
  • Disable the User-ID Authentication Portal if not required.
  • Deploy firewall rules to block untrusted traffic from reaching the management interface.
  • Monitor for indicators of compromise, including unexpected processes or outbound connections.

Impact:

  • Confidentiality: Full system compromise; attackers can read sensitive data.
  • Integrity: Arbitrary code execution with root privileges; attackers can modify system files and configurations.
  • Availability: Potential for complete device takeover; firewalls may be rendered inoperative.
  • Scope: Affects PA-Series and VM-Series firewalls with User-ID Authentication Portal enabled and exposed to untrusted networks.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top