Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN461
_____________________________________________________________________

DATE                : 06/05/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): PAN-OS.

=====================================================================
https://security.paloaltonetworks.com/CVE-2026-0300
_____________________________________________________________________

CVE-2026-0300 PAN-OS: Unauthenticated user initiated Buffer Overflow
Vulnerability in User-ID™ Authentication Portal

Urgency HIGHEST

047910

Severity 9.3 · CRITICAL
Exploit Maturity ATTACKED
Response Effort MODERATE
Recovery USER
Value Density CONCENTRATED
Attack Vector NETWORK
Attack Complexity LOW
Attack Requirements NONE
Automatable YES
User Interaction NONE
Product Confidentiality HIGH
Product Integrity HIGH
Product Availability HIGH
Privileges Required NONE
Subsequent Confidentiality LOW
Subsequent Integrity LOW
Subsequent Availability NONE

Published 2026-05-05
Updated 2026-05-05
Discovered in production use


Description

A buffer overflow vulnerability in the User-ID™ Authentication Portal
(aka Captive Portal) service of Palo Alto Networks PAN-OS software
allows an unauthenticated attacker to execute arbitrary code with root
privileges on the PA-Series and VM-Series firewalls by sending
specially crafted packets.

The risk of this issue is greatly reduced if you secure access to the
User-ID™ Authentication Portal per the best practice guidelines by
restricting access to only trusted internal IP addresses.

Prisma Access, Cloud NGFW and Panorama appliances are not impacted by
this vulnerability.


Product Status

Versions	Affected	Unaffected
Cloud NGFW	None          	All

PAN-OS 12.1	< 12.1.4-h5  
                < 12.1.7       	>= 12.1.4-h5 (ETA: 05/13)
                                >= 12.1.7 (ETA: 05/28)

PAN-OS 11.2	< 11.2.4-h17
                < 11.2.7-h13
                < 11.2.10-h6
                < 11.2.12
	                       >= 11.2.4-h17 (ETA: 05/28)
                               >= 11.2.7-h13 (ETA: 05/13)
                               >= 11.2.10-h6 (ETA: 05/13)
                               >= 11.2.12 (ETA: 05/28)

PAN-OS 11.1	< 11.1.4-h33
                < 11.1.6-h32
                < 11.1.7-h6
                < 11.1.10-h25
                < 11.1.13-h5
                < 11.1.15
	                       >= 11.1.4-h33 (ETA: 05/13)
                               >= 11.1.6-h32 (ETA: 05/13)
                               >= 11.1.7-h6 (ETA: 05/28)
                               >= 11.1.10-h25 (ETA: 05/13)
                               >= 11.1.13-h5 (ETA: 05/13)
                               >= 11.1.15 (ETA: 05/28)
PAN-OS 10.2	< 10.2.7-h34
                < 10.2.10-h36
                < 10.2.13-h21
                < 10.2.16-h7
                < 10.2.18-h6
	                        >= 10.2.7-h34 (ETA: 05/28)
                                >= 10.2.10-h36 (ETA: 05/13)
                                >= 10.2.13-h21 (ETA: 05/28)
                                >= 10.2.16-h7 (ETA: 05/28)
                                >= 10.2.18-h6 (ETA: 05/13)

Prisma Access	None            All


Required Configuration for Exposure

This issue is applicable only to PA-Series and VM-Series firewalls
that are configured to use User-ID™ Authentication Portal.

You can verify whether you have User-ID™ Authentication Portal
configured in the User-ID™ Authentication Portal Settings
page (Device > User Identification > Authentication Portal Settings -> Enable Authentication Portal).

Severity: CRITICAL, Suggested Urgency: HIGHEST

The risk is highest when you configure the User-ID™
Authentication Portal to enable access from the Internet
or any untrusted network.

CRITICAL - CVSS-BT: 9.3 /CVSS-B: 9.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:A/AU:Y/R:U/V:C/RE:M/U:Red)

You can greatly reduce the risk of exploitation by restricting
User-ID™ Authentication Portal access to only trusted internal
IP addresses and preventing its exposure to the internet.

HIGH - CVSS-BT: 8.7 /CVSS-B: 8.7 (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:A/AU:Y/R:U/V:C/RE:M/U:Red)


Exploitation Status

Limited exploitation has been observed targeting Palo Alto
Networks User-ID™ Authentication Portals that are exposed to
untrusted IP addresses and/or the public internet. Customers
following standard security best practices, such as
restricting sensitive portals to trusted internal networks
are at a greatly reduced risk.


Weakness Type and Impact

CWE-787: Out-of-bounds Write

CAPEC-100 Overflow Buffers


Solution

This issue will be fixed in upcoming releases of PAN-OS as
captured in the table above.

We strongly recommend that you secure access to your User-ID™
Authentication Portal following the instructions in the
workarounds section below.


Workarounds and Mitigations

Customers can mitigate the risk of this issue by taking either
of the following actions:

    Restrict User-ID™ Authentication Portal access to only trusted
zones. Refer to Step 6 of the following Live Community article
and Knowledgebase article for steps to restrict access.
    Disable User-ID™ Authentication Portal if not required.

CPE Applicability

    cpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)12.1.4 and up to (excluding)12.1.4-h5
    ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)12.1.0 and up to (excluding)12.1.7
    ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.2.4 and up to (excluding)11.2.4-h17
    ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.2.7 and up to (excluding)11.2.7-h13
    ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.2.10 and up to (excluding)11.2.10-h6
    ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.2.0 and up to (excluding)11.2.12
    ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.4 and up to (excluding)11.1.4-h33
    ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.6 and up to (excluding)11.1.6-h32
    ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.7 and up to (excluding)11.1.7-h6
    ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.10 and up to (excluding)11.1.10-h25
    ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.13 and up to (excluding)11.1.13-h5
    ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)11.1.0 and up to (excluding)11.1.15
    ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.7 and up to (excluding)10.2.7-h34
    ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.10 and up to (excluding)10.2.10-h36
    ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.13 and up to (excluding)10.2.13-h21
    ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.16 and up to (excluding)10.2.16-h7
    ORcpe:2.3:o:palo_alto_networks:pan-os:*:*:*:*:*:*:*:* is vulnerable from (including)10.2.18 and up to (excluding)10.2.18-h6


Timeline

2026-05-05          Initial publication.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================