Skip to main content

Check Point Quantum Security Gateway CVE-2026-48132

| EUVDEUVD-2026-31819 HIGH
Out-of-bounds Read (CWE-125)
2026-05-26 checkpoint GHSA-3h9p-9pvw-73vm
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 09:02 vuln.today
CVSS changed
May 26, 2026 - 15:22 NVD
7.4 (HIGH) 8.1 (HIGH)

DescriptionCVE.org

The Security Gateway does not correctly validate a length value in certain IKE packets when NAT-T is used (4500/UDP). As a result, a specially crafted or malformed packet can cause the VPN processing service to terminate unexpectedly, leading to denial of service (temporary interruption of VPN negotiations/traffic).

AnalysisAI

Denial of service in Check Point Quantum Security Gateway allows remote unauthenticated attackers to crash the VPN processing service by sending specially crafted IKE packets over NAT-T (UDP/4500). Multiple supported releases (R81.10 and below, R81.20, R82, R82.10) are affected up to specific Jumbo Hotfix takes. No public exploit identified at time of analysis, and EPSS is low at 0.06% (17th percentile), suggesting limited near-term exploitation likelihood despite the 8.1 CVSS score.

Technical ContextAI

The flaw resides in the IKE (Internet Key Exchange) packet processing path of the Quantum Security Gateway's VPN service when NAT Traversal (NAT-T) is in use, which encapsulates IKE traffic in UDP/4500 to support clients behind NAT devices. The root cause is CWE-125 (Out-of-bounds Read): a length field within an IKE packet is not properly validated, causing the parser to read beyond the bounds of an allocated buffer when handling a malformed or attacker-crafted value. CPE data (cpe:2.3:a:checkpoint:quantum_security_gateway) confirms the vulnerability is in Check Point's enterprise VPN/firewall appliance software. While the tags include 'Information Disclosure' and 'Buffer Overflow,' the description and CWE-125 indicate the observed effect is service termination rather than memory exfiltration or code execution.

RemediationAI

Patch available per vendor advisory - install the next Jumbo Hotfix Accumulator for your branch as published in Check Point sk184982 (https://support.checkpoint.com/results/sk/sk184982), specifically a take higher than R81.20 Take 127, R82 Take 91, or R82.10 Take 19, and upgrade R81.10 (and earlier) to a supported, patched branch since all R81.10 releases are listed as affected. If patching cannot be performed immediately, compensating controls include restricting UDP/4500 (NAT-T) ingress on the gateway to known VPN peer IP addresses via an upstream firewall ACL - note that this breaks roaming/mobile VPN clients whose source IPs are unpredictable - or temporarily disabling NAT-T where peer topology permits, which will break IKE for any client behind NAT and is generally not viable for remote-access VPN deployments. Monitor the VPN daemon for unexpected restarts as a detection signal until the patch is applied.

Share

CVE-2026-48132 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy