Detect Palo Alto Networks PAN-OS Out-of-bounds Write (CVE-2026-0300) in Google Chronicle
Detects exploitation attempts targeting CVE-2026-0300, an out-of-bounds write vulnerability (CWE-787) in Palo Alto Networks PAN-OS. This vulnerability is actively exploited in the wild (CISA KEV) and may allow attackers to execute arbitrary code, crash the device, or escalate privileges on affected PAN-OS appliances. Detection focuses on anomalous management plane activity, unexpected process crashes, memory corruption indicators, and suspicious inbound traffic patterns targeting PAN-OS management interfaces.
MITRE ATT&CK
- Tactic
- Initial Access Execution Impact
YARA-L Detection Query
rule cve_2026_0300_panos_oob_write {
meta:
author = "df00tech Detection Engineering"
description = "Detects CVE-2026-0300 exploitation indicators against Palo Alto Networks PAN-OS"
severity = "CRITICAL"
priority = "HIGH"
mitre_attack_tactic = "Initial Access"
mitre_attack_technique = "T1190"
reference = "https://security.paloaltonetworks.com/CVE-2026-0300"
cve = "CVE-2026-0300"
events:
(
$e.metadata.product_name = "PAN-OS" or
$e.metadata.vendor_name = "Palo Alto Networks"
)
and
(
(
$e.metadata.event_type = "NETWORK_HTTP" and
$e.target.port in (443, 4443, 8443) and
$e.network.direction = "INBOUND"
) or
(
$e.metadata.event_type = "PROCESS_TERMINATION" and
$e.target.process.command_line = /sslmgrd|pan_gp|configd|authd|pan_comm/ and
$e.target.process.exit_code != 0
) or
(
re.regex($e.metadata.description, `(?i)(out.of.bounds|memory corruption|segfault|core dump|buffer overflow|CVE-2026-0300)`)
)
)
match:
$e.principal.hostname over 15m
outcome:
$risk_score = max(
if($e.metadata.event_type = "PROCESS_TERMINATION", 85, 0) +
if(re.regex($e.metadata.description, `CVE-2026-0300`), 95, 0) +
if(re.regex($e.metadata.description, `(?i)(segfault|core dump)`), 75, 0)
)
$hostname = array_distinct($e.principal.hostname)
$source_ips = array_distinct($e.principal.ip)
condition:
$e
}Google Chronicle YARA-L 2.0 rule for CVE-2026-0300. Matches inbound management port traffic, abnormal PAN-OS process terminations, and payload-level memory corruption indicators on Palo Alto Networks devices, with risk scoring across signal types.
Data Sources
Required Tables
False Positives & Tuning
- Chronicle parser misconfiguration mapping non-PAN-OS events to the Palo Alto vendor namespace
- Authorized internal vulnerability scans generating inbound management traffic matching network conditions
- PAN-OS high-availability failover generating process termination events for monitored daemon names
- Threat intelligence enrichment rules applying CVE tags to historical events unrelated to active exploitation
Other platforms for CVE-2026-0300
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate malformed HTTPS payload to PAN-OS management interface
Expected signal: PAN-OS threat logs should record an anomalous inbound connection; syslog may show a connection handling error or rate limit trigger on the management interface.
- Test 2Trigger PAN-OS management daemon crash simulation via process kill
Expected signal: PAN-OS system logs will record a process crash event for sslmgrd with signal 11 (SIGSEGV); watchdog restart will generate a subsequent SYSTEM log entry. Syslog forwarding will push these to the SIEM.
- Test 3Enumerate PAN-OS management interface exposure and version fingerprinting
Expected signal: PAN-OS management logs will record the inbound HTTPS requests from the test source IP. If threat prevention is enabled, reconnaissance-pattern requests may trigger a threat log entry.
Unlock Pro Content
Get the full detection package for CVE-2026-0300 including response playbook, investigation guide, and atomic red team tests.