Skip to main content

GlobalProtect App CVE-2026-0250

| EUVDEUVD-2026-30101 MEDIUM
Out-of-bounds Write (CWE-787)
2026-05-13 palo_alto GHSA-mv4m-c9mp-36jr
5.2
CVSS 4.0 · Vendor: palo_alto
Share

Severity by source

Vendor (palo_alto) PRIMARY
5.2 MEDIUM
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber

Primary rating from Vendor (palo_alto) · only source for this CVE.

CVSS VectorVendor: palo_alto

CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Generated
Jun 08, 2026 - 10:58 vuln.today
Patch available
May 13, 2026 - 20:02 EUVD
CVSS changed
May 13, 2026 - 19:22 NVD
5.2 (MEDIUM)
CVE Published
May 13, 2026 - 18:26 nvd
MEDIUM 5.2
CVE Published
May 13, 2026 - 18:26 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

A buffer overflow vulnerability exists in the Palo Alto Networks GlobalProtect™ app that enables a man in the middle attacker to disrupt system processes and potentially execute arbitrary code with SYSTEM privileges. This vulnerability is triggered during the processing of requests and responses exchanged between Portal and Gateway.

The GlobalProtect app on iOS is not affected.

AnalysisAI

Buffer overflow in Palo Alto Networks GlobalProtect App (versions 6.0 through 6.3) allows an adjacent-network attacker positioned as a man-in-the-middle to corrupt memory during Portal/Gateway message processing, potentially executing arbitrary code with SYSTEM privileges on affected endpoints. Affected platforms include Windows (including the UWP variant), macOS, and other non-iOS clients; iOS is explicitly excluded by the vendor. No public exploit identified at time of analysis - EPSS stands at 0.01% and SSVC confirms no current exploitation - however the SSVC technical impact rating of 'total' and potential for full SYSTEM-level compromise justify prioritized patching for endpoints connecting from untrusted networks.

Technical ContextAI

The root cause is CWE-787 (Out-of-bounds Write), a memory corruption class in which data is written beyond the bounds of an allocated buffer, enabling heap or stack corruption and potential control-flow hijacking. The flaw resides specifically in the GlobalProtect app's code path responsible for parsing and processing HTTP/TLS messages exchanged with Palo Alto Networks Portal and Gateway infrastructure. Affected components span two CPE families: cpe:2.3:a:palo_alto_networks:globalprotect_app (covering standard clients on Windows, macOS, and Linux across branches 6.0-6.3) and cpe:2.3:a:palo_alto_networks:globalprotect_uwp_app (the Windows Universal Windows Platform variant in the 6.3 branch). Because the GlobalProtect service typically runs with SYSTEM-level privileges to manage network tunnels, a successful out-of-bounds write that redirects execution inherits those elevated rights. The CVSS 4.0 vector's AT:P (Attack Requirements: Present) directly reflects the MitM interception prerequisite - the attacker must be able to forge or inject Portal/Gateway responses rather than simply originate a packet.

RemediationAI

The primary fix is to upgrade to vendor-released patched versions available from Palo Alto Networks. Per the official advisory at https://security.paloaltonetworks.com/CVE-2026-0250 and EUVD-2026-30101, target versions are: GlobalProtect App 6.0 to 6.0.14 or later, 6.1 to 6.1.13 or later, 6.2 to 6.2.8-h10 (build 6.2.8-948) or later, 6.3 to 6.3.3-h9 (build 6.3.3-999) or later, and GlobalProtect UWP App 6.3 to 6.3.3-h10 or later. For environments where immediate patching is not feasible, the most targeted compensating control is restricting GlobalProtect client connectivity to network segments where MitM attacks are operationally implausible - specifically enforcing 802.1X port-based network access control and preventing rogue AP associations, which directly removes the AT:P precondition. Trade-off: these controls do not apply when users connect from unmanaged external networks. A secondary compensating measure is validating that GlobalProtect enforces strict TLS certificate pinning against trusted Palo Alto Portal/Gateway certificates, which raises the bar for injecting forged responses; verify this configuration against vendor documentation for each affected branch. iOS deployments require no action.

Share

CVE-2026-0250 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy