Full Report
Palo Alto Networks security advisory (AV26-425)
Analysis Summary
# Vulnerability: Unauthenticated Buffer Overflow in PAN-OS User-ID™ Authentication Portal
## CVE Details
- **CVE ID:** CVE-2026-0300
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-121 (Stack-based Buffer Overflow)
## Affected Systems
- **Products:** Palo Alto Networks PAN-OS (Next-Generation Firewalls)
- **Versions:**
- PAN-OS 12.1: Versions prior to 12.1.4-h5 and 12.1.7
- PAN-OS 11.2: Multiple versions (Refer to vendor advisory for full list)
- PAN-OS 11.1: Multiple versions (Refer to vendor advisory for full list)
- PAN-OS 10.2: Multiple versions (Refer to vendor advisory for full list)
- **Configurations:** Systems where the User-ID™ Authentication Portal or GlobalProtect Captive Portal is enabled and accessible.
## Vulnerability Description
A critical stack-based buffer overflow vulnerability exists in the User-ID™ Authentication Portal component of PAN-OS. The flaw is caused by improper validation of user-supplied input length before copying it into a fixed-size stack buffer. An unauthenticated remote attacker can exploit this by sending a specially crafted request to the portal, leading to memory corruption.
## Exploitation
- **Status:** **Exploited in the wild.** Palo Alto Networks has confirmed reports of active exploitation.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** Total (Full system compromise possible)
- **Integrity:** Total (Arbitrary code execution with root privileges)
- **Availability:** Total (System crash or persistent control)
## Remediation
### Patches
Palo Alto Networks has released the following expedited software updates:
- **PAN-OS 12.1:** Update to 12.1.4-h5, 12.1.7, or later.
- **PAN-OS 11.2:** Update to 11.2.4-h1 or later.
- **PAN-OS 11.1:** Update to 11.1.5-h3 or later.
- **PAN-OS 10.2:** Update to 10.2.12-h2 or later.
### Workarounds
- **Disable Authentication Portal:** If not business-critical, disable the User-ID™ Authentication Portal and Captive Portal.
- **Restrict Access:** Implement strict Access Control Lists (ACLs) to ensure the portal is only accessible from trusted internal IP ranges.
## Detection
- **Indicators of Compromise:** Look for unexpected crashes of the `authd` process or unauthorized administrative account creation.
- **Threat Prevention:** Customers with a Threat Prevention subscription should ensure they are using the latest Content Release (e.g., Application and Threat ID updates) which includes signatures to block exploitation attempts.
- **Logs:** Monitor Traffic logs for unusual patterns directed at the Authentication Portal port (typically TCP 6080, 6081, or 6082).
## References
- [https[://]security[.]paloaltonetworks[.]com/CVE-2026-0300]
- [https[://]security[.]paloaltonetworks[.]com/]
- [https[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/palo-alto-networks-security-advisory-av26-425]