Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
The VPN service may mishandle an unexpected IKE fragment value received on the IKE port 500/UDP during the early stage of a connection attempt. This can cause the service to terminate unexpectedly, resulting in denial of service (temporary disruption of VPN-related functionality).
AnalysisAI
Denial of service in Check Point Quantum Security Gateway allows remote unauthenticated attackers to terminate the VPN service by sending a malformed IKE fragment to UDP port 500 during the early phase of a connection attempt. The flaw affects multiple R81.x, R82, and R82.10 release trains running below specific Jumbo Hotfix Takes; no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.02%, 5th percentile).
Technical ContextAI
Check Point Quantum Security Gateway is the vendor's enterprise firewall/VPN appliance line, and the vulnerable component is its IKE (Internet Key Exchange) daemon, which negotiates IPsec tunnels on UDP/500 (and 4500 for NAT-T). The root cause is classified as CWE-122 (heap-based buffer overflow) - vendor and aggregator tags (Buffer Overflow, Heap Overflow) indicate the IKE service mishandles the length/value field of an unexpected IKE fragment, corrupting heap memory and crashing the process. IKE fragmentation (RFC 7383) was introduced to handle large IKE_AUTH payloads over UDP without IP-layer fragmentation, and parsers that don't sanitize fragment metadata before reassembly are a known source of memory-corruption bugs in VPN gateways.
RemediationAI
Apply the Jumbo Hotfix Accumulator levels above the vulnerable thresholds: install Take 92 or later for R82, Take 20 or later for R82.10, and Take 128 or later for R81.20; for R81.10 and earlier, upgrade to a still-supported R81.20/R82 train and then apply the fixed Jumbo Hotfix Take, since those branches have no patched build identified in the EUVD data. Follow Check Point's authoritative guidance in sk184981 (https://support.checkpoint.com/results/sk/sk184981) for the exact installation procedure and any conditional steps. As a compensating control until patches are deployed, restrict UDP/500 (and UDP/4500 if VPN clients tolerate it) at perimeter ACLs to only the source IPs of known VPN peers or client VPN concentrators - this blocks the attack surface entirely but will break ad-hoc remote-access VPN for mobile users; alternatively, terminate site-to-site tunnels on a redundant gateway so that a crash of one IKE daemon fails over rather than causing a full outage.
More in Quantum Security Gateway
View allDenial of service in Check Point Quantum Security Gateway allows remote unauthenticated attackers to crash the VPN proce
Unauthenticated information disclosure in Check Point Quantum Security Gateway allows remote attackers to read internal
SQL injection in Check Point Quantum Security Gateway's UserCheck Web Portal allows a remote unauthenticated attacker wh
Heap-based buffer overflow in Check Point Quantum Security Gateway's HTTP-based service allows unauthenticated remote at
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31818
GHSA-4qg4-f998-wjmm