Out-of-Bounds Write in Palo Alto Networks PAN‑OS (CVE‑2026‑0300) Added to CISA KEV Catalog
What It Is – CISA has listed CVE‑2026‑0300, an out‑of‑bounds write flaw in Palo Alto Networks’ PAN‑OS operating system, in its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability allows an unauthenticated attacker to corrupt memory, potentially achieving remote code execution on the firewall appliance.
Exploitability – Active exploitation has been confirmed by multiple threat‑intel feeds; a proof‑of‑concept exists and the CVSS v3.1 base score is 8.6 (High).
Affected Products – All PAN‑OS versions prior to the vendor‑released patch (see Palo Alto advisory) across the PA‑500, PA‑800, PA‑3000, and virtualized firewall families.
TPRM Impact –
- A compromised firewall can expose downstream SaaS, cloud, and on‑premise services, creating a supply‑chain foothold.
- Network segmentation and data‑loss‑prevention controls may be bypassed, increasing the risk of data exfiltration for any third‑party that relies on the affected device.
Recommended Actions –
- Verify PAN‑OS version on every managed firewall and compare against the vendor’s patch matrix.
- Prioritize patching to the fixed release no later than the BOD 22‑01 remediation deadline.
- If immediate patching is not possible, apply temporary mitigations (e.g., restrict management‑plane access, enable strict ACLs, and monitor for anomalous traffic).
- Update your vulnerability‑management inventory to flag PAN‑OS assets as “high‑risk” until remediation is confirmed.
- Document remediation status for audit‑ready reporting to CISA and internal governance bodies.
Source: CISA Advisory – May 06 2026