Cyber Centre Daily Advisory Digest — 2026-05-06 (3 advisories)

What Happened

The Canadian Centre for Cyber Security issued alerts for three software products that require immediate updates. Users of Palo Alto Networks firewalls, the Google Chrome web browser, and VMware Tanzu GemFire are affected. This is highly critical because a flaw in Palo Alto Networks is already being actively used by attackers to compromise systems. Administrators and users should apply the latest security updates provided by these vendors immediately to protect their networks and devices.

Key Takeaways

• Palo Alto Networks PAN-OS is affected by a critical, actively exploited unauthenticated buffer overflow vulnerability (CVE-2026-0300) in the User-ID Authentication Portal.
• Google Chrome released security updates for Desktop versions (Windows, Mac, Linux) to address recent vulnerabilities.
• Broadcom VMware released updates for the Tanzu GemFire Management Console to address vulnerabilities in versions prior to 1.4.4.

Affected Systems

• PAN-OS 12.1 (prior to 12.1.4-h5 and 12.1.7)
• PAN-OS 11.2 (multiple versions)
• PAN-OS 11.1 (multiple versions)
• PAN-OS 10.2 (multiple versions)
• Stable Channel Chrome for Desktop (prior to 148.0.7778.96/97 for Windows/Mac and 148.0.7778.96 for Linux)
• VMware Tanzu GemFire Management Console (prior to 1.4.4)

Vulnerabilities (CVEs)

• CVE-2026-0300

Attack Chain

Attackers are actively exploiting CVE-2026-0300, an unauthenticated buffer overflow vulnerability located in the Palo Alto Networks PAN-OS User-ID Authentication Portal. The advisory does not provide further technical details regarding the specific exploit payloads, post-exploitation activities, or the ultimate objectives of the threat actors.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

No specific detection rules or queries are provided in the advisory.

Detection Engineering Assessment

EDR Visibility: Low — The primary critical vulnerability (CVE-2026-0300) affects network appliances (PAN-OS firewalls) where standard EDR agents typically cannot be installed. Network Visibility: High — Exploitation of the PAN-OS User-ID Authentication Portal occurs over the network and could potentially be detected via anomalous traffic patterns or vendor-provided IDS/IPS signatures. Detection Difficulty: Hard — Without specific IOCs or exploit payloads detailed in the advisory, detecting the buffer overflow relies on generic anomaly detection, service crash logs, or vendor-provided threat prevention signatures.

Required Log Sources

• Firewall system logs
• Authentication logs
• Web application firewall logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for unexpected crashes or restarts of the User-ID Authentication Portal service on PAN-OS devices, which may indicate attempted or successful buffer overflow exploitation.	Firewall system logs	Initial Access	Medium

Control Gaps

• Lack of EDR visibility on proprietary network appliances

Key Behavioral Indicators

• Service crashes or unexpected reboots on PAN-OS devices

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Apply the latest PAN-OS updates provided by Palo Alto Networks to mitigate the actively exploited CVE-2026-0300.
• Update Google Chrome to version 148.0.7778.96/97 (Windows/Mac) or 148.0.7778.96 (Linux).
• Update VMware Tanzu GemFire Management Console to version 1.4.4 or later.

Infrastructure Hardening

• Restrict access to the PAN-OS User-ID Authentication Portal to trusted IP addresses or internal networks if public access is not strictly required.

User Protection

• Ensure automated browser updates are enabled for all endpoint users to rapidly deploy the Google Chrome patches.

Security Awareness

• Inform IT and security teams about the active exploitation of CVE-2026-0300 to ensure patching of Palo Alto Networks devices is prioritized.

MITRE ATT&CK Mapping

• T1190 - Exploit Public-Facing Application