Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The Security Gateway does not correctly validate a length value in certain IKE packets when NAT-T is used (4500/UDP). As a result, a specially crafted or malformed packet can cause the VPN processing service to terminate unexpectedly, leading to denial of service (temporary interruption of VPN negotiations/traffic).
AnalysisAI
Denial of service in Check Point Quantum Security Gateway allows remote unauthenticated attackers to crash the VPN processing service by sending specially crafted IKE packets over NAT-T (UDP/4500). Multiple supported releases (R81.10 and below, R81.20, R82, R82.10) are affected up to specific Jumbo Hotfix takes. No public exploit identified at time of analysis, and EPSS is low at 0.06% (17th percentile), suggesting limited near-term exploitation likelihood despite the 8.1 CVSS score.
Technical ContextAI
The flaw resides in the IKE (Internet Key Exchange) packet processing path of the Quantum Security Gateway's VPN service when NAT Traversal (NAT-T) is in use, which encapsulates IKE traffic in UDP/4500 to support clients behind NAT devices. The root cause is CWE-125 (Out-of-bounds Read): a length field within an IKE packet is not properly validated, causing the parser to read beyond the bounds of an allocated buffer when handling a malformed or attacker-crafted value. CPE data (cpe:2.3:a:checkpoint:quantum_security_gateway) confirms the vulnerability is in Check Point's enterprise VPN/firewall appliance software. While the tags include 'Information Disclosure' and 'Buffer Overflow,' the description and CWE-125 indicate the observed effect is service termination rather than memory exfiltration or code execution.
RemediationAI
Patch available per vendor advisory - install the next Jumbo Hotfix Accumulator for your branch as published in Check Point sk184982 (https://support.checkpoint.com/results/sk/sk184982), specifically a take higher than R81.20 Take 127, R82 Take 91, or R82.10 Take 19, and upgrade R81.10 (and earlier) to a supported, patched branch since all R81.10 releases are listed as affected. If patching cannot be performed immediately, compensating controls include restricting UDP/4500 (NAT-T) ingress on the gateway to known VPN peer IP addresses via an upstream firewall ACL - note that this breaks roaming/mobile VPN clients whose source IPs are unpredictable - or temporarily disabling NAT-T where peer topology permits, which will break IKE for any client behind NAT and is generally not viable for remote-access VPN deployments. Monitor the VPN daemon for unexpected restarts as a detection signal until the patch is applied.
More in Quantum Security Gateway
View allDenial of service in Check Point Quantum Security Gateway allows remote unauthenticated attackers to terminate the VPN s
Unauthenticated information disclosure in Check Point Quantum Security Gateway allows remote attackers to read internal
SQL injection in Check Point Quantum Security Gateway's UserCheck Web Portal allows a remote unauthenticated attacker wh
Heap-based buffer overflow in Check Point Quantum Security Gateway's HTTP-based service allows unauthenticated remote at
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31819
GHSA-3h9p-9pvw-73vm