GlobalProtect App: Buffer Overflow Vulnerability during connection to Portal or Gateway
Plan PatchCVSS 7.7CVE-2026-0250May 13, 2026
Palo Alto Networks
IT in OT - Palo Alto firewalls are commonly deployed at IT/OT network boundaries
Summary
A buffer overflow vulnerability in Palo Alto Networks GlobalProtect app allows a man-in-the-middle attacker to disrupt system processes and potentially execute arbitrary code with SYSTEM privileges. The vulnerability is triggered during processing of requests and responses between GlobalProtect Portal and Gateway. It affects versions below 6.3.3-h9 on Windows, 6.3.3-h9 on macOS, 6.3.3-h2 on Linux, 6.2.8-h10 on Windows/macOS, 6.1.13 on Android/ChromeOS, and 6.0.x versions on multiple platforms. iOS is not affected.
What this means
What could happen
A man-in-the-middle attacker could exploit this buffer overflow to crash the GlobalProtect application or execute arbitrary code with system-level privileges on the endpoint, potentially compromising VPN security and gaining access to internal networks.
Who's at risk
Organizations deploying GlobalProtect VPN on employee endpoints (Windows, macOS, Linux, Android, ChromeOS) are affected. This includes remote workers and field staff connecting to corporate networks through Palo Alto GlobalProtect gateways. iOS users are not affected.
How it could be exploited
An attacker positioned between the user's endpoint and the Palo Alto GlobalProtect Portal or Gateway could craft malicious responses that trigger the buffer overflow during connection handshake or data exchange. This allows code execution on the user's machine with elevated privileges, bypassing VPN security controls.
Prerequisites
- Network position to intercept traffic between endpoint and GlobalProtect Portal or Gateway (man-in-the-middle position)
- GlobalProtect app running on affected version
- Vulnerable endpoint connecting to Portal or Gateway
man-in-the-middle attack requiredlow complexityaffects VPN security posturemultiple platforms affected
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (14)
13 with fix1 pending
ProductAffected VersionsFix Status
GlobalProtect AppBelow 6.3.3-h9 (6.3.3-999) on Windows6.3.3-h9 (6.3.3-999) on Windows+
GlobalProtect AppBelow 6.3.3-h9 (6.3.3-999) on macOS6.3.3-h9 (6.3.3-999) on macOS+
GlobalProtect AppBelow 6.3.3-h2 (6.3.3-42) on Linux6.3.3-h2 (6.3.3-42) on Linux+
GlobalProtect AppBelow 6.2.8-h10 (6.2.8-948) on Windows6.2.8-h10 (6.2.8-948) on Windows+
GlobalProtect AppBelow 6.2.8-h10 (6.2.8-948) on macOS6.2.8-h10 (6.2.8-948) on macOS+
GlobalProtect AppBelow 6.1.13 on Android6.1.13 on Android+
GlobalProtect AppBelow 6.1.13 on ChromeOS6.1.13 on ChromeOS+
GlobalProtect AppBelow 6.0.11 on Linux6.0.11 on Linux (ETA: 06/04)+
Remediation & Mitigation
0/7
Schedule — requires maintenance window
0/5Patching may require device reboot — plan for process interruption
GlobalProtect App
HOTFIXUpdate GlobalProtect app on Windows to version 6.3.3-h9 (6.3.3-999) or later, or 6.2.8-h10 (6.2.8-948) or later, or 6.0.13 or later
HOTFIXUpdate GlobalProtect app on macOS to version 6.3.3-h9 (6.3.3-999) or later, or 6.2.8-h10 (6.2.8-948) or later, or 6.0.13 or later
HOTFIXUpdate GlobalProtect app on Linux to version 6.3.3-h2 (6.3.3-42) or later, or 6.0.11 or later
HOTFIXUpdate GlobalProtect app on Android to version 6.1.13 or later, or 6.0.14 or later
HOTFIXUpdate GlobalProtect app on ChromeOS to version 6.1.13 or later, or 6.0.14 or later
Long-term hardening
0/2HARDENINGImplement network monitoring and inspection of traffic between endpoints and GlobalProtect Portal/Gateway to detect and block man-in-the-middle attacks
HARDENINGEnsure endpoints are connecting to trusted GlobalProtect Portals and Gateways using certificate pinning or other authentication controls to prevent redirection to attacker-controlled servers
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/7d6db15e-dd7e-4ef6-be0b-8fe778721e67Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.