Palo Alto Networks PAN-OS Out-of-bounds Write Vulnerability
Palo Alto Networks PAN-OS contains an out-of-bounds write vulnerability in the User-ID Authentication Portal (aka Captive Portal) service that can allow an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.
Quick answer
Palo Alto Networks PAN-OS should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- 10.2.0
- 10.2.1
- 10.2.2
- 10.2.3
- 10.2.4
- 10.2.5
- 10.2.6
- 10.2.7
- 10.2.8
- 10.2.9
- 10.2.10
- 10.2.11
- 10.2.12
- 10.2.13
- 10.2.14
- 10.2.15
- 10.2.16
- 10.2.17
- 10.2.18
- 11.1.0
- 11.1.1
- 11.1.2
- 11.1.3
- 11.1.4
- 11.1.5
- 11.1.6
- 11.1.7
- 11.1.8
- 11.1.9
- 11.1.10
- 11.1.11
- 11.1.12
- 11.1.13
- 11.1.14
- 11.2.0
- 11.2.1
- 11.2.2
- 11.2.3
- 11.2.4
- 11.2.5
- 11.2.6
- 11.2.7
- 11.2.8
- 11.2.9
- 11.2.10
- 11.2.11
- 12.1.2
- 12.1.3
- 12.1.4
- 12.1.5
- 12.1.6
- -
Fixed versions
- Apply the latest vendor-supported patched version.
How to fix it
CVE-2026-0300 is a critical PAN-OS buffer overflow in the User-ID Authentication Portal service. Palo Alto Networks reports exploitation against portals exposed to untrusted networks, so patching and exposure reduction should happen together. Upgrade PAN-OS to the fixed release for the installed branch, restrict or disable the Authentication Portal, and review firewall logs for attempted exploitation.
- Identify PA-Series and VM-Series firewalls with User-ID Authentication Portal enabled.
- Upgrade PAN-OS to the fixed release for the installed branch, or to a supported newer branch with the fix.
- Restrict User-ID Authentication Portal access to trusted internal zones and trusted source IP ranges only.
- Disable User-ID Authentication Portal if it is not required for the environment.
- Disable response pages on interfaces where untrusted or internet traffic can ingress unless explicitly required by the vendor guidance.
- Enable the relevant Threat Prevention content and signatures where licensed and supported.
- Review traffic, threat, system, and configuration logs for suspicious requests to the Authentication Portal.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm PAN-OS reports a fixed version for the deployed branch.
- Verify User-ID Authentication Portal is not reachable from the public internet or untrusted zones.
- Confirm response page and interface management profiles match the vendor mitigation guidance.
- Review firewall logs for blocked or suspicious exploit attempts after mitigation.
- Run a Fixnx scan and external exposure test against public firewall-facing services.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-0300?
Palo Alto Networks PAN-OS should be checked against the vendor advisory and trusted references linked on this page.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
