Four PAN-OS CVEs, One Hotfix: The May 13 Bundle Closes May 5 Too

Palo Alto published three High-severity PAN-OS advisories on May 13, 2026. Each one is CVSS-B 9.2 / CVSS-BT 7.2. Each one carries the highest provider urgency rating. None are exploited in the wild as of publication.

On every affected PAN-OS branch, the May 13 hotfix builds — the same single install per device — fix CVE-2026-0263, CVE-2026-0264, CVE-2026-0265, and CVE-2026-0300, the actively-exploited User-ID Authentication Portal RCE disclosed May 5. The build numbers match exactly. The release dates match exactly. Today's hotfix is also your May 5 fix. Customers who have been carrying CVE-2026-0300 mitigations for eight days — portal disable, network restriction, or the Threat Prevention signature — can retire them as part of the same change once the install lands.

This is the most important fact about today's release. It is also the fact most likely to get lost while three change tickets get drafted instead of one.

CAS bypass is the one to escalate first

CVE-2026-0265 is an improper-signature-verification flaw (CWE-347) in PAN-OS's Cloud Authentication Service. CAS is the integration that lets PAN-OS terminate authentication against a cloud identity service via cryptographic assertions. The verification path accepts a crafted assertion as valid when it should reject. An attacker who can craft the assertion authenticates as any user the profile is configured to admit, without supplying credentials.

Three things make this the item to look at first:

• It has low attack complexity. The CVSS vectors for CVE-2026-0263 and CVE-2026-0264 are both AC:H. CVE-2026-0265 is AC:L. Once an attacker can reach the login interface, the bypass is not gated by a hard-to-hit precondition.
• It is the only CVE in the bundle that affects Panorama. Customers running CAS in an Authentication Profile attached to Panorama's WebUI are exposed to management-of-management compromise. The blast radius radiates to every device Panorama manages.
• The deployment footprint is broader than the PQC IKEv2 case. CAS adoption is more common than PQC IKEv2, particularly among organizations that have moved their identity backend to a cloud IdP. The exposed population overlaps with the same federal, defense, and regulated-industry demographics that adopted PQC early, but it is not the same set.

The CAS workaround is to restrict the management/login interface to trusted IPs behind a jump host, or to temporarily swap the Authentication Profile to SAML, RADIUS, LDAP, or Kerberos until patches are applied. PAN's CVSS variance for this CVE — 9.2 internet-exposed, 4.8 behind a jump-box ACL — quantifies the value of the network-restriction control directly.

Customers running Threat Prevention with content v9100-10044 or newer can also lean on Threat ID 510008 as interim coverage — but only on PAN-OS 11.2+ and only after non-trivial deployment plumbing: routing management traffic through the data plane, applying vulnerability profiles to GlobalProtect interfaces, replacing default inbound management certificates, and decrypting management-plane traffic for inspection. It is not a single-toggle mitigation; read the PAN advisory's signature section in full before relying on it.

DNS Proxy splits PA-Series and VM-Series in a way that matters

CVE-2026-0264 is a heap-based buffer overflow in PAN-OS's DNS Proxy and DNS Server code. The bug is reachable from any network position that can deliver a crafted DNS packet to the affected listener, but the outcome is platform-dependent: unauthenticated RCE on PA-Series hardware, denial of service on VM-Series and elsewhere.

The platform split is the operational tell. A branch office firewall acting as a local DNS forwarder on a PA-220 or PA-440 is in scope for RCE. The same configuration on a VM-Series instance in IaaS is in scope for DoS only. Both should patch; the urgency is calibrated by the impact, and on hardware that means treating this as a same-week item.

Neither DNS Proxy nor DNS Server is on by default. The exposed population is bounded by the customers who turned the feature on — typically as part of a branch stand-up that nobody has revisited in years. The audit cost is low: enumerate DNS Proxy objects under Network → DNS Proxy, check whether they are enabled and which interfaces they are attached to, then check Device → Setup → Services → DNS for a DNS Server bound to a public IP. Twenty minutes per firewall, less if you script it against the XML API.

Threat Prevention customers on content v9100-10044+ also get Threat ID 510027 as interim coverage during the patch window.

IKEv2 PQC is the slow lane of the bundle

CVE-2026-0263, the IKEv2 PQC buffer overflow, is still real, still High, still worth patching this week. It is also the narrowest exposure surface in the bundle.

PQC IKEv2 is opt-in, only exists on PAN-OS 11.x and 12.1, and only fires when a tunnel's IKE Crypto Profile includes a PQC algorithm. PAN-OS 10.2 is unaffected on this CVE. Customers who never enabled PQC on any IKE Crypto Profile are not exposed at all, regardless of PAN-OS version.

The PQC workaround — "configure IKEv2 with NIST-approved PQC ciphers only" — is the signal that the vulnerable code path is the non-NIST handling: draft Kyber revisions, BIKE, HQC, and the hybrid combinations that didn't survive the NIST process. Restricting the cipher set to ML-KEM (FIPS 203) avoids the bug. The patch fixes it. The catch is that both ends of an IKE tunnel must agree on the cipher set, so customers running PQC to an external peer have to coordinate the change rather than apply it unilaterally.

For most customers, this is the third CVE on the priority list, not the first.

One patch, four CVEs

The combined patch matrix is the most useful artifact in this advisory, and it is more compact than the four-CVE total suggests. On every PAN-OS branch and hotfix line, the fix for each applicable CVE in the bundle is the same build — and that build is also the fix for CVE-2026-0300. The 12.1.4 line takes 12.1.4-h5. The 11.2.10 line takes 11.2.10-h6. The 10.2.10 line takes 10.2.10-h36 and is unaffected by CVE-2026-0263 (PQC IKEv2 didn't exist in 10.2) but still gets CVE-2026-0300, CVE-2026-0264, and CVE-2026-0265 in the same install. The 11.1.4, 11.1.6, 11.1.10, 11.1.13, 11.2.7, 11.2.10, and 12.1.4 hotfix lines all have a same-day fix available. The base trains (11.1.15, 11.2.12, 12.1.7) plus the 10.2.7, 10.2.13, 10.2.16, 11.1.7, and 11.2.4 hotfix lines slip to May 28, 2026.

The CVE-2026-0300 inclusion is the operational payoff. Customers in scope for May 5 have spent eight days running interim controls — portal disable, network restriction to trusted zones, or the Threat Prevention signature on PAN-OS 11.1+. The May 13 hotfix retires every one of them. The change ticket that covers today's bundle should explicitly call out all four CVEs in scope, and the post-patch verification should include backing out the May 5 interim controls in the same maintenance window, not deferred to a later cleanup pass.

Customers on a slipping line have two paths: apply the per-CVE workarounds in the interim (CAS network restriction or auth-method swap, DNS feature reconfiguration, PQC NIST-only cipher narrowing, and the existing CVE-2026-0300 mitigation), or jump to a hotfix line with a same-day fix. The jump is an upgrade event with its own risk; the workarounds are configuration changes with operational coordination cost. Both are bridges to the May 28 wave, not durable fixes.

The change-management framing matters. Four CVEs in eight days is four rows in a tracker, but one ticket per device. Sizing the program against the device count rather than against the CVE count is the correction.

Four pre-auth PAN-OS CVEs in eight days is the pattern

CVE-2026-0300 on May 5 (User-ID Authentication Portal, active exploitation, no fixed build at disclosure). CVE-2026-0263, CVE-2026-0264, CVE-2026-0265 on May 13 (no known exploitation, same-day hotfixes for most lines). Four pre-authentication PAN-OS CVEs in eight days, clustered around perimeter services: a portal, an IKE listener, a DNS service, and an authentication backend.

The most defensible reading is that Palo Alto's internal security teams have been auditing pre-auth surfaces aggressively in 2026 and the disclosure cadence reflects audit throughput. Operators should expect more PAN-OS pre-auth CVEs through the remainder of the year on the same basis — when a vendor publishes one CVE in a class, more are usually queued behind it. The User-ID agent protocol, the syslog ingestion paths, the X-Auth-Token handling on the management plane, and the management-plane SSL termination layer are all plausible candidates for what arrives next.

The disclosure-vs-patch-readiness pattern is also worth recording, and it explains why all four CVEs share a hotfix train. CVE-2026-0300 was customer-reported with active exploitation and shipped with no fixed build; first hotfixes followed eight days later. That eight-day window is exactly what the three new CVEs needed to ride the same train. By the time PSIRT was ready to ship CVE-2026-0300 hotfixes on May 13, the internal/researcher-reported CVEs that had been queued for the same release cycle were ready too. The consolidated hotfix is the result of PSIRT's release-train coordination — when multiple advisories' patch readiness aligns, PAN ships a unified build rather than per-CVE point releases. The active-exploit pressure on CVE-2026-0300 pulled the May 13 wave forward; the three new CVEs got pulled along with it.

The discovery mechanism is now on the record

This isn't an isolated three-CVE event. The May 13 batch is 26 CVEs spread across 75 issues and 130+ products in the broader Palo Alto portfolio — Prisma Cloud, Cortex XDR/XSIAM, Strata Cloud Manager, GlobalProtect client, Prisma Access Agent, Prisma SD-WAN, and others — published together. Palo Alto's CPO Lee Klarich posted a companion piece the same day attributing the batch to frontier-AI-assisted vulnerability discovery. The named models: Anthropic's Claude Mythos and Claude Opus 4.7 via Anthropic's Project Glasswing cyber-partner program (PAN onboarded April 7, 2026), and OpenAI's GPT-5.5-Cyber via OpenAI's Trusted Access for Cyber program. The pattern we noted on May 5 (CVE-2026-0300) and May 7 ("Dirty Frag" Linux kernel LPE) — disclosure cadence outrunning the pre-2025 baseline — now has a named cause.

"We now estimate a narrow three-to-five-month window for organizations to outpace the adversary before AI-driven exploits start to become the new norm." - Lee Klarich

That's a vendor estimate, not a contractual SLA. The operational reading doesn't depend on whether the specific 3-5 month number proves accurate: the window argues for compressing patch-cycle bottlenecks now, while the discovery-to-disclosure interval is still measured in days-to-weeks rather than hours. If your patch program depends on quarterly maintenance windows, multi-week change-approval cycles, or manual deploy steps for security updates, today's same-day hotfixes are wasted leverage, the build is on the mirror, but you can't install it for six weeks. Identify the slowest stage of your pipeline (change-approval flow, maintenance-window cadence, HA-pair failover tooling, post-patch verification) and shorten that one first.

The external researcher credit on CVE-2026-0265 — Hacktron AI, via researcher Harsh Jaiswal — is an adjacent but separate signal. Hacktron AI is an AI-assisted vulnerability research tooling company; the finding is not part of PAN's Project Glasswing program, but it points the same direction. Two independent data points, same trend.

May 13 wasn't a PAN-only day, either. F5 shipped its May 2026 Quarterly Security Notification the same morning with 19 High-severity CVEs across BIG-IP and NGINX. Change-management leadership at any organization running both perimeters should size today's window for both vendors.

What we're not putting in this post

A few things deserve a longer treatment than a public post can responsibly carry:

• The combined patch matrix in full, with the per-branch fixed-in builds, the May 28 wave, the cross-reference to the CVE-2026-0300 fixed-in builds confirming the version-for-version match, and the upgrade-vs-workaround decision for customers on a hotfix line whose fix slips.
• The CVE-2026-0300 mitigation retirement procedure — exactly which interim controls to back out, in what order, and what post-patch verification to run before unwinding each one so a misconfigured rollback doesn't reopen the exposure window.
• The configuration audit playbooks for all three May 13 CVEs — DNS Proxy enumeration on Panorama-managed fleets, CAS Authentication Profile-to-login-interface mapping, and the PQC IKE Crypto Profile audit — including how to automate each across templates so you don't miss an inherited profile.
• The CAS blast-radius assessment for Panorama — what management-of-management compromise actually means against the device inventory most enterprises run, and what to verify post-patch to rule out a window of exposure before the fix landed.
• The Project Glasswing context in full — the per-vendor, per-model breakdown of how 26 CVEs surfaced through frontier-AI-assisted discovery, what PAN's batch overlap with F5's same-day QSN says about the cross-vendor cadence, and the patch-pipeline bottleneck audit (the concrete version of Klarich's three-to-five-month window framing) — including what to escalate to a CISO asking why the queue keeps growing.

We've packaged that into a working advisory PDF with the technical depth one of our engineers would walk a customer through on an hour-long call. If you want it, request it here — we read every request and respond directly.

In the meantime: identify each firewall's current branch and hotfix line, check whether a same-day hotfix is available on that line, and confirm whether CAS, DNS Proxy/Server, PQC IKEv2, or the User-ID Authentication Portal is configured on any of your devices. That part takes an hour for a typical fleet and rules in or out the whole rest of the problem.