CVE-2026-0142

CVE-2026-0142 does not exist. No NVD record, no CISA KEV entry, no published advisory. The identifier follows valid CVE format but carries nothing behind it — no CVSS score, no affected product, no CNA assignment. If a vendor, scanner, or third-party report handed you that number, the source deserves scrutiny before you act on it.

What is real: three CVSS 9.8–10.0 criticals from May 2026 Patch Tuesday, all KEV-listed, all with overdue federal deadlines.

CVE-2026-20182 — Cisco Catalyst SD-WAN, CVSS 10.0. An unauthenticated attacker bypasses peering authentication, logs in as a high-privileged internal account, and reaches NETCONF — which means arbitrary manipulation of the entire SD-WAN fabric configuration. CISA issued Emergency Directive 26-03 alongside the KEV listing. Federal deadline was May 17. That passed two weeks ago. If Cisco SD-WAN is in your environment, this is not a sprint-queue item.

CVE-2026-42208 — LiteLLM, CVSS 9.8. This one is the AI infrastructure story. LiteLLM is the open-source AI gateway widely used to proxy calls across OpenAI, Anthropic, and other LLM APIs. Versions 1.81.16 through 1.83.6 shipped with a SQL injection in the API key authentication path. An unauthenticated attacker sends a crafted Authorization header to any LLM API route and can read or modify the proxy's database — which stores LLM API credentials for every provider the proxy manages. That is not a data breach in the conventional sense. That is a full key compromise of your AI infrastructure. Fixed in 1.83.7. Federal deadline was May 11. If your team or any vendor you rely on is running self-hosted LiteLLM, version check is the first call.

CVE-2026-0300 — Palo Alto PAN-OS, CVSS 9.8. A buffer overflow in the User-ID Authentication Portal lets an unauthenticated attacker execute arbitrary code with root privileges on PA-Series and VM-Series firewalls via crafted packets. Patches landed May 13. The workaround — restrict Authentication Portal access to trusted zones or disable if unused — is straightforward and should already be in place given the May 6 KEV listing. Federal deadline was May 9.

The operational sequence is the same for all three: confirm whether the affected component is in your stack, check patch status, verify any compensating controls are actually enforced, and make sure you have telemetry that would surface exploitation attempts. The federal clock has already run out. The window for quiet remediation is narrowing.