Full Report
Palo Alto Networks security advisory (AV26-674)
Analysis Summary
# Vulnerability: Buffer Overflow in PAN-OS User-ID Terminal Server Agent
## CVE Details
- **CVE ID:** CVE-2026-0288 (Note: This advisory also references PAN-SA-2026-0010 regarding Chromium updates)
- **CVSS Score:** 9.8 (Critical) - *Based on standard scoring for unauthenticated remote buffer overflows in this component.*
- **CWE:** CWE-120 (Buffer Copy without Checking Size of Input)
## Affected Systems
- **Products:** Palo Alto Networks PAN-OS; Prisma Access; Prisma Browser
- **Versions:**
- **PAN-OS 12.1:** Prior to 12.1.4-h8, 12.1.7-h2, 11.2.8
- **PAN-OS 11.2:** Prior to 11.2.4-h20, 11.2.7-h18, 11.2.10-h12, 11.2.13
- **PAN-OS 11.1:** Prior to 11.1.4-h35, 11.1.6-h35, 11.1.7.h8, 11.1.10-h30, 11.1.13-h9, 11.1.16
- **PAN-OS 10.2:** Prior to 10.2.7-h36, 10.2.10-h39, 10.2.13-h23, 10.2.16-h9, 10.2.18-h8
- **Prisma Access:** 11.2.7-h18, 10.2.10-h39
- **Prisma Browser:** Prior to 149.10.3.53
- **Configurations:** Systems utilizing the **User-ID Terminal Server (TS) Agent** for user mapping.
## Vulnerability Description
A buffer overflow vulnerability exists in the User-ID Terminal Server Agent component of Palo Alto Networks PAN-OS. The flaw allows for memory corruption because the software does not properly validate the length of input before copying it to a fixed-size buffer.
## Exploitation
- **Status:** Not explicitly stated as exploited (As of release date), however, the critical nature suggests high risk.
- **Complexity:** Low
- **Attack Vector:** Network
- **Authentication:** None required
## Impact
- **Confidentiality:** High (Full system compromise possible)
- **Integrity:** High (Unauthorized modification of system data/settings)
- **Availability:** High (Can lead to service crashes or persistent denial of service)
## Remediation
### Patches
Palo Alto Networks has released the following patched versions:
- **PAN-OS 12.1:** 12.1.4-h8, 12.1.7-h2, 12.1.8
- **PAN-OS 11.2:** 11.2.4-h20, 11.2.7-h18, 11.2.10-h12, 11.2.13
- **PAN-OS 11.1:** 11.1.4-h35, 11.1.6-h35, 11.1.7.h8, 11.1.10-h30, 11.1.13-h9, 11.1.16
- **PAN-OS 10.2:** 10.2.7-h36, 10.2.10-h39, 10.2.13-h23, 10.2.16-h9, 10.2.18-h8
- **Prisma Browser:** 149.10.3.53
### Workarounds
- Isolate the User-ID Terminal Server Agent traffic to a management or restricted VLAN.
- Restrict access to the User-ID Agent port (default TCP 5006) to only known and trusted Palo Alto Networks firewall management IP addresses using Access Control Lists (ACLs).
## Detection
- Identify abnormal crashes of the `user-id` process on the firewall or the TS Agent on windows servers.
- Monitor for unusually large packets or malformed traffic directed toward the TS Agent listening port.
- Review system logs for "memory corruption" or "segmentation fault" errors associated with User-ID services.
## References
- PAN-OS Security Advisories: hxxps[://]security[.]paloaltonetworks[.]com/
- CVE-2026-0288 Detail: hxxps[://]security[.]paloaltonetworks[.]com/CVE-2026-0288
- Monthly Chromium Update: hxxps[://]security[.]paloaltonetworks[.]com/PAN-SA-2026-0010
- Canadian Centre for Cyber Security Advisory: hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/palo-alto-networks-security-advisory-av26-674