Skip to main content

Check Point Quantum Security Gateway EUVDEUVD-2026-31818

| CVE-2026-48131 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-05-26 checkpoint GHSA-4qg4-f998-wjmm
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 09:59 vuln.today

DescriptionCVE.org

The VPN service may mishandle an unexpected IKE fragment value received on the IKE port 500/UDP during the early stage of a connection attempt. This can cause the service to terminate unexpectedly, resulting in denial of service (temporary disruption of VPN-related functionality).

AnalysisAI

Denial of service in Check Point Quantum Security Gateway allows remote unauthenticated attackers to terminate the VPN service by sending a malformed IKE fragment to UDP port 500 during the early phase of a connection attempt. The flaw affects multiple R81.x, R82, and R82.10 release trains running below specific Jumbo Hotfix Takes; no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.02%, 5th percentile).

Technical ContextAI

Check Point Quantum Security Gateway is the vendor's enterprise firewall/VPN appliance line, and the vulnerable component is its IKE (Internet Key Exchange) daemon, which negotiates IPsec tunnels on UDP/500 (and 4500 for NAT-T). The root cause is classified as CWE-122 (heap-based buffer overflow) - vendor and aggregator tags (Buffer Overflow, Heap Overflow) indicate the IKE service mishandles the length/value field of an unexpected IKE fragment, corrupting heap memory and crashing the process. IKE fragmentation (RFC 7383) was introduced to handle large IKE_AUTH payloads over UDP without IP-layer fragmentation, and parsers that don't sanitize fragment metadata before reassembly are a known source of memory-corruption bugs in VPN gateways.

RemediationAI

Apply the Jumbo Hotfix Accumulator levels above the vulnerable thresholds: install Take 92 or later for R82, Take 20 or later for R82.10, and Take 128 or later for R81.20; for R81.10 and earlier, upgrade to a still-supported R81.20/R82 train and then apply the fixed Jumbo Hotfix Take, since those branches have no patched build identified in the EUVD data. Follow Check Point's authoritative guidance in sk184981 (https://support.checkpoint.com/results/sk/sk184981) for the exact installation procedure and any conditional steps. As a compensating control until patches are deployed, restrict UDP/500 (and UDP/4500 if VPN clients tolerate it) at perimeter ACLs to only the source IPs of known VPN peers or client VPN concentrators - this blocks the attack surface entirely but will break ad-hoc remote-access VPN for mobile users; alternatively, terminate site-to-site tunnels on a redundant gateway so that a crash of one IKE daemon fails over rather than causing a full outage.

Share

EUVD-2026-31818 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy