UPDATE: CVE-2026-0300 PAN-OS Captive Portal — revised fix-release timelines for 10.2.13-h21 and 10.2.16-h7; wave-2 target remains 2026-05-28

UPDATE (originally covered 2026-05-07 deep dive): The Palo Alto Networks PSIRT advisory for CVE-2026-0300 was revised on 2026-05-16 to update the per-build fix-release schedule: PAN-OS 10.2.13-h21 was retimed on 2026-05-16, 10.2.16-h7 on 2026-05-14. Both are commonly deployed LTS branches in large enterprise and government estates; PA-Series and VM-Series devices on those two specific builds remain mitigation-only.

The wave-2 patch target for the remaining outstanding builds remains 2026-05-28. No new exploitation evidence accompanied the revision; the actively-exploited posture (unauthenticated heap overflow in the User-ID Authentication Portal / Captive Portal service, CVSS 9.3, pre-auth root RCE) reported in prior briefs continues. Defender action: verify each PA / VM appliance's installed PAN-OS build against the advisory's per-version patch matrix; if the installed build is 10.2.13-h21 or 10.2.16-h7, confirm the Captive Portal / User-ID Authentication Portal mitigation (disable the feature if unused, or apply the published Threat Prevention rule) remains active until the wave-2 fix lands.