- CVE: CVE-2026-0288
- CVSS: 7.2 (High · CVSSv4)
- Product: Palo Alto Networks Cloud NGFW
- Affected: 12.1.0, 11.2.0, 11.1.0, 10.2.0
- Impact: PAN-OS: Buffer Overflow Vulnerabilities in User-ID Terminal Server Agent
- Status: No confirmed exploitation yet
- Patched in: All, 12.1.8, 12.1.7-h2, 12.1.4-h8 (+15 more)
- Action: Update to All, 12.1.8, 12.1.7-h2, 12.1.4-h8 (+15 more) now
TL;DR
Palo Alto Networks disclosed a PAN-OS buffer overflow tracked as CVE-2026-0288. It sits in the User-ID Terminal Server Agent. An unauthenticated attacker on the network could crash the firewall or run code. The vendor rates it CVSS 7.2 and reports no known exploitation.
Why it matters
PAN-OS firewalls guard the edge of many enterprise networks. So a bug that allows arbitrary code execution there is serious. This flaw needs no login and no user interaction. Notably, a sibling PAN-OS flaw, CVE-2026-0300, was exploited in the wild and added to CISA’s KEV list in May 2026. That history raises the stakes for fast patching, even though CVE-2026-0288 shows no signs of abuse yet.
How the attack works
The issue is a set of buffer overflows in the Terminal Server Agent. An attacker sends specially crafted network traffic to the TSA service. That input overruns a buffer. The result is a denial of service, or potentially arbitrary code execution. Only devices with at least one TSA entry configured are exposed. Admins can confirm this under Device > User Identification > Terminal Server Agents.
Affected versions
The flaw affects PAN-OS 12.1, 11.2, 11.1, and 10.2 before their fixed builds. Cloud NGFW and Panorama are not affected. Prisma Access carries a medium-severity rating for two branches. Palo Alto credited Liang Zhu for the report.
Patch and mitigation
Update to a fixed release, such as 12.1.8, 11.2.13, 11.1.16, or 10.2.18-h8. Check the exact build for your branch in Palo Alto’s advisory. Until you patch, restrict TSA connectivity to trusted internal IP addresses. That single step sharply lowers the risk from this PAN-OS buffer overflow.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.