Severity by source
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber
Primary rating from Vendor (palo_alto) · only source for this CVE.
CVSS VectorVendor: palo_alto
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber
Lifecycle Timeline
5DescriptionCVE.org
A buffer overflow vulnerability exists in the Palo Alto Networks GlobalProtect™ app that enables a man in the middle attacker to disrupt system processes and potentially execute arbitrary code with SYSTEM privileges. This vulnerability is triggered during the processing of requests and responses exchanged between Portal and Gateway.
The GlobalProtect app on iOS is not affected.
AnalysisAI
Buffer overflow in Palo Alto Networks GlobalProtect App (versions 6.0 through 6.3) allows an adjacent-network attacker positioned as a man-in-the-middle to corrupt memory during Portal/Gateway message processing, potentially executing arbitrary code with SYSTEM privileges on affected endpoints. Affected platforms include Windows (including the UWP variant), macOS, and other non-iOS clients; iOS is explicitly excluded by the vendor. No public exploit identified at time of analysis - EPSS stands at 0.01% and SSVC confirms no current exploitation - however the SSVC technical impact rating of 'total' and potential for full SYSTEM-level compromise justify prioritized patching for endpoints connecting from untrusted networks.
Technical ContextAI
The root cause is CWE-787 (Out-of-bounds Write), a memory corruption class in which data is written beyond the bounds of an allocated buffer, enabling heap or stack corruption and potential control-flow hijacking. The flaw resides specifically in the GlobalProtect app's code path responsible for parsing and processing HTTP/TLS messages exchanged with Palo Alto Networks Portal and Gateway infrastructure. Affected components span two CPE families: cpe:2.3:a:palo_alto_networks:globalprotect_app (covering standard clients on Windows, macOS, and Linux across branches 6.0-6.3) and cpe:2.3:a:palo_alto_networks:globalprotect_uwp_app (the Windows Universal Windows Platform variant in the 6.3 branch). Because the GlobalProtect service typically runs with SYSTEM-level privileges to manage network tunnels, a successful out-of-bounds write that redirects execution inherits those elevated rights. The CVSS 4.0 vector's AT:P (Attack Requirements: Present) directly reflects the MitM interception prerequisite - the attacker must be able to forge or inject Portal/Gateway responses rather than simply originate a packet.
RemediationAI
The primary fix is to upgrade to vendor-released patched versions available from Palo Alto Networks. Per the official advisory at https://security.paloaltonetworks.com/CVE-2026-0250 and EUVD-2026-30101, target versions are: GlobalProtect App 6.0 to 6.0.14 or later, 6.1 to 6.1.13 or later, 6.2 to 6.2.8-h10 (build 6.2.8-948) or later, 6.3 to 6.3.3-h9 (build 6.3.3-999) or later, and GlobalProtect UWP App 6.3 to 6.3.3-h10 or later. For environments where immediate patching is not feasible, the most targeted compensating control is restricting GlobalProtect client connectivity to network segments where MitM attacks are operationally implausible - specifically enforcing 802.1X port-based network access control and preventing rogue AP associations, which directly removes the AT:P precondition. Trade-off: these controls do not apply when users connect from unmanaged external networks. A secondary compensating measure is validating that GlobalProtect enforces strict TLS certificate pinning against trusted Palo Alto Portal/Gateway certificates, which raises the bar for injecting forged responses; verify this configuration against vendor documentation for each affected branch. iOS deployments require no action.
More in Globalprotect App
View allLocal privilege escalation vulnerabilities in Palo Alto Networks GlobalProtect App on Windows, macOS, and Linux allow a
Improper certificate validation in Palo Alto Networks GlobalProtect App exposes macOS and Android users to adversary-in-
GlobalProtect app on macOS exposes administrator-configured passcodes - used to restrict disabling, disconnecting, or un
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30101
GHSA-mv4m-c9mp-36jr