Skip to main content

Checkpoint

77 CVEs product

Monthly

CVE-2026-58659 HIGH POC PATCH This Week

Remote code execution in PyTorch Lightning through 2.6.5 allows an attacker who can get a victim to load a malicious checkpoint file to execute arbitrary code. The flaw lives in the _load_state routine, which imports and calls the module path named in a checkpoint's _instantiator hyperparameter, letting a crafted .ckpt bypass torch's weights_only=True safeguard when LightningModule.load_from_checkpoint is invoked. Reported by VulnCheck, it is fixed in commit d710d68 (PR #21832) via an instantiator allowlist, and publicly available exploit code exists though it is not listed in CISA KEV.

Checkpoint RCE Pytorch Lightning
NVD GitHub
CVSS 4.0
8.4
CVE-2026-15531 LOW POC PATCH Monitor

Unsafe deserialization in HashNeRF-pytorch's Checkpoint File Handler allows a local low-privileged attacker to achieve arbitrary code execution by supplying a malicious file via the `ckpt_path` argument to `torch.load()` in `run_nerf.py`. All commits up to 82885e698295982504eb6a26d060a6b2473e3706 are affected; a fix exists as an unmerged pull request (PR #50). A public exploit has been disclosed via GitHub issue #49, though no CISA KEV listing has been identified, indicating no confirmed widespread active exploitation at time of analysis.

Deserialization Checkpoint Hashnerf Pytorch
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-10659 MEDIUM PATCH This Month

Kernel denial-of-service in Zephyr RTOS v4.4.0's Dhara flash translation layer driver crashes the system during FTL disk initialization when a flash error coincides with the journal-resume checkpoint scan. The driver's dhara_nand_read/erase/prog/copy callbacks unconditionally dereference the caller-supplied err pointer, but the upstream Dhara library legitimately passes NULL during its binary search in find_last_checkblock(), triggering a NULL write and kernel fault. No public exploit code has been identified and this CVE is absent from the CISA KEV catalog; exploitation is gated on specific flash media conditions (uncorrectable ECC, bad block, or induced fault) occurring on a checkpoint page at mount time, constraining real-world risk to physical or supply-chain threat models.

Denial Of Service Checkpoint Null Pointer Dereference Zephyr
NVD GitHub
CVSS 3.1
4.7
EPSS
0.1%
CVE-2026-52739 Cargo MEDIUM PATCH GHSA This Month

Process abort in zebrad (Zcash Foundation's Rust node) up to v4.4.1 allows a malicious block producer to crash targeted nodes by submitting a child block that repeats a shielded V5 transaction from its non-finalized parent. The ordering bug in `Chain::push` causes an `assert_eq!` uniqueness check on `tx_loc_by_hash` to fire before the duplicate shielded-nullifier guard can cleanly reject the block; under Zebra's `panic = "abort"` release profile, this terminates the entire node process rather than returning a validation error. No public exploit or CISA KEV listing has been identified, but the vendor describes two concrete attack models requiring only modest mining hashrate, making targeted denial-of-service achievable in practice.

Denial Of Service Checkpoint
NVD GitHub
CVSS 3.1
5.9
CVE-2026-52736 Cargo HIGH PATCH GHSA This Week

Remote denial-of-service in Zebra (zebrad ≤ v4.4.1), the Zcash Foundation's Rust node, lets an unauthenticated P2P peer permanently stall a targeted node at a chosen block height. By exploiting ZIP-244 transaction malleability, an attacker crafts a poisoned block body sharing the same header hash as a valid canonical block; Zebra caches the hash before validation and never evicts it on failure, so the legitimate block is later rejected as a duplicate. This is a real availability threat against default configurations, though there is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw was independently reproduced end-to-end by two researchers.

Information Disclosure Canonical Checkpoint
NVD GitHub
CVE-2026-13493 LOW POC PATCH Monitor

Workflow checkpoint endpoints in ComfyUI-Copilot up to 2.0.28 expose an insecure direct object reference (IDOR) flaw - the restore_workflow_checkpoint and update_workflow_ui handlers in conversation_api.py accept externally supplied version identifiers without verifying that the referenced checkpoint belongs to the requesting session, enabling an authenticated remote attacker to read workflow data owned by other sessions. The CVSS 4.0 score of 2.3 reflects limited confidentiality-only impact and high attack complexity (AC:H) due to the need to enumerate valid cross-session identifiers. A proof-of-concept is publicly available at GitHub issue #149; the upstream fix (PR #150) is pending acceptance and no patched release version has been confirmed.

Information Disclosure Checkpoint Comfyui Copilot
NVD VulDB GitHub
CVSS 4.0
1.3
EPSS
0.2%
CVE-2026-53143 HIGH PATCH This Week

Local information disclosure and memory corruption in the Linux kernel's AMD KFD (amdkfd) driver affects GFX11/Navi3x GPUs, where the v11 MQD manager wrongly used CP-compute checkpoint/restore handlers for SDMA queues. During a CRIU checkpoint or restore of an SDMA queue, the driver treats a 512-byte v11_sdma_mqd buffer as a 2048-byte v11_compute_mqd, so it either leaks 1536 bytes of adjacent GTT memory to userspace or overwrites 1536 bytes of neighboring GTT memory (ring buffers or adjacent MQDs). Exploitation requires local access with the ability to drive CRIU checkpoint/restore of a GPU compute process; there is no public exploit identified at time of analysis and EPSS is low (0.18%).

Linux Buffer Overflow Checkpoint
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53017 MEDIUM PATCH This Month

Data loss in the Linux kernel's f2fs (Flash-Friendly File System) driver exposes files created and synced before any checkpoint has been written to permanent loss on sudden power off. The race condition between fsync on newly created files and concurrent checkpoint operations causes f2fs_need_inode_block_update() to misread prematurely set nat_entry flags (IS_CHECKPOINTED and HAS_LAST_FSYNC), leading fsync to skip the inode block flush it actually requires. No public exploit identified at time of analysis; the EPSS score of 0.16% at the 6th percentile reflects the narrow triggering conditions and local-only attack surface.

Checkpoint Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52923 HIGH PATCH This Week

Local privilege escalation and information disclosure in the Linux kernel's SysV IPC subsystem stems from an unbounded ID allocation in ipc_idr_alloc() along the checkpoint/restore (CRIU) path, where a user-supplied next_id can spill past the valid ipc_mni range. Because removal truncates the index via ipcid_to_idx(), a high-index object can be freed while its real IDR slot dangles, so a subsequent /proc/sysvipc/shm walk dereferences freed memory - a use-after-free. No public exploit identified at time of analysis; EPSS is low at 0.17% (6th percentile) and the issue is not on CISA KEV.

Linux Information Disclosure Checkpoint
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-54499 PyPI HIGH PATCH GHSA This Week

Arbitrary code execution in Stanford NLP's Stanza 1.12.0 (and ≤1.12.1) occurs when the library loads a malicious PyTorch checkpoint, because its pretrain loader silently falls back from torch.load(weights_only=True) to weights_only=False whenever an UnpicklingError is raised - a condition the attacker fully controls by embedding one unsupported pickle global. Publicly available exploit code exists (working PoC in the GHSA advisory), and any developer, CI pipeline, or production NLP service that downloads Stanza model files from HuggingFace, GitHub, or a shared cache can be compromised. Fixed in Stanza 1.12.2.

Checkpoint Deserialization Python RCE
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-50195 Go MEDIUM PATCH GHSA This Month

Checkpoint image poisoning in containerd's CRI implementation allows an attacker with pod-creation permissions to corrupt the node-local image cache, causing victim pods to silently execute malicious images in place of legitimate ones. The root cause is missing validation of image references embedded in checkpoint image configurations: containerd trusts attacker-controlled strings in the checkpoint archive to drive image pulls and local tag assignment. Subsequent pods using an IfNotPresent or Never pull policy then inherit the poisoned tag and execute arbitrary code under the victim pod's Kubernetes identity. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis; vendor-released patches are available.

RCE Checkpoint Containerd
NVD VulDB GitHub
CVSS 4.0
5.6
EPSS
0.3%
CVE-2026-53489 Go HIGH PATCH GHSA This Week

Arbitrary host file disclosure in containerd's CRI plugin lets an attacker read any file on the Kubernetes node via `kubectl logs` because the plugin restores `container.log` from a checkpoint image while blindly following a symlinked path. All containerd 2.x branches before 2.1.9, 2.2.5, and 2.3.2 are affected wherever container checkpoint/restore (CRIU-based) is used. There is no public exploit identified at time of analysis and it is not on CISA KEV, but the flaw was independently reported by numerous researchers and a vendor patch is available.

Checkpoint Information Disclosure Containerd
NVD VulDB GitHub
CVSS 4.0
8.2
EPSS
0.2%
CVE-2026-53492 Go HIGH PATCH GHSA This Week

Kubernetes device-plugin and resource-allocation enforcement can be bypassed in containerd by a namespace user holding pod-creation rights, who restores a container from a maliciously crafted checkpoint image. The CRI restore path trusts Container Device Interface (CDI) annotations embedded in untrusted checkpoint metadata instead of the pod's create-time spec, letting the attacker smuggle arbitrary CDI edits (host device nodes and mounts) into the restored container. It affects containerd v2.1.0-2.1.8, v2.2.0-2.2.4 and v2.3.0-2.3.1; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Kubernetes Checkpoint Information Disclosure Containerd
NVD VulDB GitHub
CVSS 4.0
8.4
EPSS
0.5%
CVE-2026-47747 HIGH This Week

Heap-based buffer overflow in stable-diffusion.cpp's pickle .ckpt parser allows attackers to corrupt memory and likely achieve code execution when a victim loads a maliciously crafted checkpoint file. The flaw stems from sign confusion in the BINUNICODE opcode length field, causing memcpy to be called with an attacker-controlled, effectively gigantic size derived from a negative signed integer. No public exploit identified at time of analysis, and the issue is fixed in master-584-0a7ae07.

Checkpoint Heap Overflow Buffer Overflow Stable Diffusion Cpp
NVD GitHub
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-47750 HIGH This Week

Heap buffer overflow in the leejet stable-diffusion.cpp pickle .ckpt parser allows arbitrary code execution when a user or host application loads a maliciously crafted checkpoint file. The flaw resides in the GLOBAL opcode handler within src/model.cpp, where missing newline validation lets a -1 length value drive a heap memory copy, corrupting the heap of the diffusion inference process. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the attack surface (community model-sharing sites) makes weaponization plausible.

Checkpoint Memory Corruption Buffer Overflow Stable Diffusion Cpp
NVD GitHub
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-48775 PyPI MEDIUM PATCH GHSA This Month

Unsafe deserialization in LangGraph SQLite Checkpoint's JsonPlusSerializer (versions 4.1.0 and prior) allows arbitrary Python object reconstruction from checkpoint payloads stored in a SQLite backing store, enabling code execution at checkpoint load time. Affected deployments are those where an unauthorized party can modify checkpoint bytes at rest - a high-privilege prerequisite (PR:H, AV:A per CVSS) that already implies a significant prior compromise. This is explicitly framed as a defense-in-depth concern: the issue escalates an existing 'checkpoint-store write access' incident into full application runtime code execution. No public exploit code or CISA KEV listing has been identified at time of analysis.

Checkpoint Deserialization Python RCE Langgraph +2
NVD GitHub
CVSS 3.1
6.8
EPSS
0.2%
CVE-2026-47749 HIGH This Week

Heap buffer overflow in stable-diffusion.cpp versions prior to master-584-0a7ae07 allows attackers to corrupt memory and potentially achieve code execution when a victim loads a malicious PyTorch .ckpt checkpoint file. The flaw resides in the SHORT_BINUNICODE opcode handler of the pickle parser in src/model.cpp, where a signed length field is mishandled and passed to memcpy. No public exploit identified at time of analysis, but the upstream fix is committed and the attack surface (untrusted model files from sharing sites) is realistic for AI/ML workloads.

Checkpoint RCE Memory Corruption Buffer Overflow Stable Diffusion Cpp
NVD GitHub
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-47748 MEDIUM This Month

Out-of-bounds reads in stable-diffusion.cpp's PyTorch pickle checkpoint parser (versions prior to master-584-0a7ae07) allow a crafted or truncated .ckpt file to crash the loading application or leak process memory contents. The pickle opcode handlers in src/model.cpp advanced the buffer pointer without verifying remaining bytes before each read, meaning any application using this library to load untrusted .ckpt model files is exposed to denial-of-service and potential memory disclosure. No public exploit has been identified at time of analysis, though LibFuzzer triggered crashing inputs in under one second, indicating an extremely low barrier for generating working crash payloads.

Checkpoint Information Disclosure Buffer Overflow Stable Diffusion Cpp
NVD GitHub
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-48121 npm MEDIUM PATCH GHSA This Month

{"$gt": ""}`) to be interpreted as query logic rather than literal values. No public exploit is independently catalogued (KEV not listed), but a proof-of-concept TypeScript payload is included in the vendor advisory, and EPSS sits at 0.03% (8th percentile), indicating low observed exploitation activity at time of analysis.

Checkpoint Nosql Injection Authentication Bypass
NVD GitHub
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-10847 HIGH This Week

Local privilege escalation in Check Point Identity Agent Full for Windows allows an authenticated local user to execute arbitrary code with SYSTEM privileges through improper executable resolution during the log collection process. The flaw is a classic CWE-427 uncontrolled search path issue, and no public exploit has been identified at time of analysis. Exploitation is constrained to attackers who already have a foothold on the endpoint but provides a reliable path to full SYSTEM compromise.

Checkpoint Privilege Escalation Microsoft RCE
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46540 MEDIUM This Month

Incomplete macro-block state synchronization in Nimiq core-rs-albatross LightBlockchain allows a network-accessible attacker to permanently stall a light client's chain progression by triggering a rebranch to a fork whose tip is a macro (checkpoint or election) block. Affected are all deployments of the Rust Albatross light client prior to v1.4.0. When exploitation targets an election block specifically, the stale current_validators pointer causes every subsequent push() call to fail verify_validators(), rendering the light client unable to advance its chain. No public exploit identified at time of analysis, though the exact fix is visible in merged PR #3706 and the triggering conditions are fully described in the advisory.

Information Disclosure Checkpoint
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-38950 HIGH This Week

Arbitrary code execution in ESA AnomalyMatch before 1.3.1 allows local attackers with low privileges to run code under the application's process by planting a malicious PyTorch checkpoint into a session directory, which is loaded via torch.load() with weights_only=False. No public exploit is identified at time of analysis, but the upstream fix (PR #9) and a third-party advisory (imlabs.info) confirm the unsafe-deserialization root cause and the migration to safetensors.

Checkpoint RCE Deserialization N A
NVD GitHub
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-48136 MEDIUM This Month

Cross-domain RBAC bypass in Check Point Quantum Security Management allows an authenticated administrator with read-write access to one Management Domain (CMA) to modify Compliance Best Practices metadata stored in a separate Management Domain where they hold no permissions. The underlying root cause is SQL injection (CWE-89, corroborated by the 'SQLi' intelligence tag), suggesting the Compliance feature's metadata storage does not enforce domain-level query isolation. Affected releases span R81.10 and below, R81.20 up to Jumbo Hotfix Take 127, R82 up to Jumbo Hotfix Take 91, and R82.10 up to Jumbo Hotfix Take 19. No public exploit identified at time of analysis, and EPSS of 0.04% reflects low observed exploitation probability.

Checkpoint SQLi Quantum Security Management
NVD
CVSS 3.1
4.1
EPSS
0.0%
CVE-2026-48135 MEDIUM This Month

Heap-based buffer overflow in Check Point Quantum Security Gateway's HTTP-based service allows unauthenticated remote attackers to cause availability disruption by sending crafted malformed HTTP requests requiring no authentication or user interaction. Affected deployments span all R81.10 releases and below, R81.20 through Jumbo Hotfix Take 127, R82 through Jumbo Hotfix Take 91, and R82.10 through Jumbo Hotfix Take 19. No public exploit identified at time of analysis, though SSVC classifies the attack as automatable with total technical impact - a meaningful tension with the CVSS A:L rating that security teams should scrutinize before deprioritizing.

Heap Overflow Checkpoint Buffer Overflow Quantum Security Gateway
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-31221 PyPI HIGH GHSA This Week

Arbitrary code execution occurs in PyTorch Lightning 2.6.0 and earlier when loading malicious checkpoint files. The LightningModule.load_from_checkpoint() method deserializes untrusted Pickle data without security restrictions, allowing attackers to execute arbitrary Python code when victims open crafted .ckpt files. EPSS score of 0.06% (19th percentile) indicates low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis. Attack requires local access and user interaction (opening a malicious checkpoint), limiting remote attack scenarios to social engineering or supply chain compromise.

Checkpoint Python RCE Deserialization
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-31214 CRITICAL Act Now

Arbitrary code execution via torch-checkpoint-shrink.py script in ml-engineering project allows remote attackers to execute malicious Python code by providing crafted PyTorch checkpoint files. The vulnerability stems from insecure deserialization where torch.load() processes .pt files without the weights_only=True safeguard, enabling pickle-based arbitrary object instantiation. Despite a critical CVSS 9.8 score, EPSS probability is low (0.06%, 19th percentile) and no public exploit or active exploitation is confirmed, suggesting limited real-world targeting to date. SSVC assessment indicates total technical impact with automatable exploitation potential, making this a priority for organizations using ml-engineering scripts in production environments.

Checkpoint Python RCE Deserialization N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-31222 PyPI HIGH GHSA This Week

Arbitrary code execution in Snorkel machine learning library (≤v0.10.0) occurs when users load malicious model checkpoint files through the Trainer.load() method. The vulnerability stems from unsafe PyTorch deserialization that processes untrusted Pickle objects without the weights_only security parameter. Attackers can embed malicious Python code in model files distributed through repositories, shared datasets, or social engineering campaigns. Despite the 8.8 CVSS score indicating critical severity, EPSS scoring at 0.06% (19th percentile) suggests very low real-world exploitation probability, and no active exploitation or public proof-of-concept has been identified at time of analysis.

Checkpoint Python RCE Deserialization
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-31253 PyPI HIGH GHSA This Week

The flash-attention training framework thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 (2025-13-04) contains an insecure deserialization vulnerability (CWE-502) in its checkpoint loading mechanism. The load_checkpoint() function in checkpoint.py and the checkpoint loading code in eval.py use torch.load() without enabling the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing a maliciously crafted checkpoint file. When a victim loads this checkpoint during model warmstarting or evaluation, arbitrary code is executed on the victim's system.

Checkpoint Deserialization Python RCE Code Injection +1
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-31250 HIGH This Week

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its average_model.py model averaging tool. The script loads PyTorch checkpoint files (epoch_*.pt) for model averaging using torch.load() without enabling the weights_only=True security parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing malicious checkpoint files within a directory. When a victim uses the tool to average models from this directory, arbitrary code is executed on the victim's system.

Checkpoint Python RCE Deserialization N A
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-44504 PyPI HIGH PATCH GHSA This Week

{thread_id}/runs endpoints. Thread IDs leak through frontend URLs, server logs, and observability traces, eliminating need for enumeration. Vendor-released patch (v0.9.7) confirmed by GitHub advisory GHSA-m98r-6667-4wq7. No active exploitation or POC identified at time of analysis, though detailed reproducer exists in issue #336.

Authentication Bypass Checkpoint Python
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-43046 MEDIUM PATCH This Month

Kernel denial of service via crafted btrfs metadata allowing local attackers to trigger an unguarded BUG_ON() condition during relocation recovery at mount time. The vulnerability arises when a root item on disk contains a non-zero drop_progress with zero drop_level, an invalid state that should not exist but lacks validation on read. CVSS 5.5 reflects local attack vector and availability impact; EPSS 0.02% indicates minimal real-world exploitation likelihood.

Checkpoint Ubuntu Debian Linux Information Disclosure +2
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-23267 MEDIUM PATCH This Month

This vulnerability is a race condition in the Linux kernel's F2FS file system that causes flag inconsistency between concurrent atomic commit and checkpoint write operations. The issue affects all Linux kernel versions with F2FS support (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), allowing information disclosure through incorrect inode state recovery after sudden power-off (SPO) scenarios. An attacker with local file system access during atomic write operations could trigger the race condition, leading to potential data inconsistency and information leakage when the system recovers.

Linux Information Disclosure Checkpoint Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-24747 PyPI HIGH POC PATCH This Week

PyTorch is a Python package that provides tensor computation. [CVSS 8.8 HIGH]

Python Pytorch Checkpoint Code Injection RCE
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2024-56586 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix f2fs_bug_on when uninstalling filesystem call f2fs_evict_inode. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Checkpoint Information Disclosure Linux Linux Kernel
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2024-54140 Maven LOW PATCH Monitor

sigstore-java is a sigstore java client for interacting with sigstore infrastructure. Rated low severity (CVSS 2.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Checkpoint Java Denial Of Service
NVD GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2024-8676 Go HIGH PATCH This Week

A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Checkpoint
NVD
CVSS 3.1
7.4
EPSS
0.8%
CVE-2024-6233 HIGH This Week

Check Point ZoneAlarm Extreme Security Link Following Local Privilege Escalation Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation RCE Checkpoint Zonealarm Extreme Security Nextgen
NVD
CVSS 3.0
7.8
EPSS
0.4%
CVE-2024-49959 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error In __jbd2_log_wait_for_space(), we might call. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Checkpoint Information Disclosure Linux Linux Kernel
NVD
CVSS 3.1
5.5
EPSS
0.3%
CVE-2024-47690 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: f2fs: get rid of online repaire on corrupted directory syzbot reports a f2fs bug as below: kernel BUG at fs/f2fs/inode.c:896!. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Checkpoint Information Disclosure Linux Linux Kernel
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2024-47669 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix state management in error path of log writing function After commit a694291a6211 ("nilfs2: separate wait function from. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Checkpoint Information Disclosure Linux Linux Kernel
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2024-46781 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix missing cleanup on rollforward recovery error In an error injection test of a routine for mount-time recovery, KASAN. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Use After Free Memory Corruption Code Injection Linux Checkpoint +1
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2024-39467 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode() syzbot reports a kernel bug as below: F2FS-fs (loop0): Mounted. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Google Buffer Overflow Information Disclosure Linux Checkpoint +1
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2024-34027 HIGH PATCH This Week

{reserve,release}_compress_blocks() w/ cp_rwsem lock It needs to cover. Rated high severity (CVSS 7.0). This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Checkpoint Linux Linux Kernel
NVD
CVSS 3.1
7.0
EPSS
0.0%
CVE-2024-24919 HIGH POC KEV PATCH THREAT This Week

Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Checkpoint Information Disclosure Quantum Spark Firmware Quantum Security Gateway Firmware Cloudguard Network Security
NVD
CVSS 3.1
8.6
EPSS
100.0%
CVE-2024-27035 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: f2fs: compress: fix to guarantee persisting compressed blocks by CP If data block in compressed cluster is not persisted with. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Checkpoint Information Disclosure Linux Linux Kernel
NVD
CVSS 3.1
5.5
EPSS
0.3%
CVE-2024-24910 HIGH This Week

A local attacker can erscalate privileges on affected Check Point ZoneAlarm ExtremeSecurity NextGen, Identity Agent for Windows, and Identity Agent for Windows Terminal Server. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.

Checkpoint Information Disclosure Microsoft Identity Agent Zonealarm Extreme Security Nextgen
NVD
CVSS 3.1
7.3
EPSS
0.2%
CVE-2024-3568 PyPI CRITICAL POC PATCH Act Now

The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data within the `load_repo_checkpoint()` function of the `TFPreTrainedModel()`. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization RCE Checkpoint Transformers
NVD GitHub
CVSS 3.1
9.6
EPSS
2.1%
CVE-2023-28134 HIGH This Week

Local attacker can escalate privileges on affected installations of Check Point Harmony Endpoint/ZoneAlarm Extreme Security. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Checkpoint Endpoint Security
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2023-39913 Maven HIGH PATCH This Week

Deserialization of Untrusted Data, Improper Input Validation vulnerability in Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK.5.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Deserialization Java Apache Checkpoint +1
NVD
CVSS 3.1
8.8
EPSS
1.5%
CVE-2023-28133 HIGH This Week

Local privilege escalation in Check Point Endpoint Security Client (version E87.30) via crafted OpenSSL configuration file. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation OpenSSL Checkpoint Endpoint Security
NVD
CVSS 3.1
7.8
EPSS
5.7%
CVE-2022-41604 HIGH POC This Week

Check Point ZoneAlarm Extreme Security before 15.8.211.19229 allows local users to escalate privileges. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Checkpoint Privilege Escalation Zonealarm
NVD GitHub
CVSS 3.1
8.8
EPSS
0.6%
CVE-2022-23744 LOW Monitor

Check Point Endpoint before version E86.50 failed to protect against specific registry change which allowed to disable endpoint protection by a local administrator. Rated low severity (CVSS 2.3), this vulnerability is low attack complexity. No vendor patch available.

Checkpoint Information Disclosure Endpoint Security Harmony Endpoint
NVD
CVSS 3.1
2.3
EPSS
4.3%
CVE-2022-23742 HIGH This Week

Check Point Endpoint Security Client for Windows versions earlier than E86.40 copy files for forensics reports from a directory with low privileges. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Microsoft Checkpoint Endpoint Security
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2022-23743 HIGH This Week

Check Point ZoneAlarm before version 15.8.200.19118 allows a local actor to escalate privileges during the upgrade process. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Checkpoint Zonealarm
NVD
CVSS 3.1
7.8
EPSS
0.4%
CVE-2022-20750 HIGH This Week

A vulnerability in the checkpoint manager implementation of Cisco Redundancy Configuration Manager (RCM) for Cisco StarOS Software could allow an unauthenticated, remote attacker to cause the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Cisco Checkpoint Redundancy Configuration Manager
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2021-30356 HIGH This Week

A denial of service vulnerability was reported in Check Point Identity Agent before R81.018.0000, which could allow low privileged users to overwrite protected system files. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Checkpoint Denial Of Service Identity Agent
NVD
CVSS 3.1
8.1
EPSS
1.0%
CVE-2020-6021 HIGH This Week

Check Point Endpoint Security Client for Windows before version E84.20 allows write access to the directory from which the installation repair takes place. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Checkpoint Microsoft Information Disclosure Endpoint Security
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2020-6015 MEDIUM This Month

Check Point Endpoint Security for Windows before E84.10 can reach denial of service during clean install of the client which will prevent the storage of service log files in non-standard locations. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Checkpoint Denial Of Service Microsoft Endpoint Security
NVD
CVSS 3.1
5.5
EPSS
0.3%
CVE-2020-6014 MEDIUM This Month

Check Point Endpoint Security Client for Windows, with Anti-Bot or Threat Emulation blades installed, before version E83.20, tries to load a non-existent DLL during a query for the Domain Name. Rated medium severity (CVSS 6.5), this vulnerability is low attack complexity. No vendor patch available.

Checkpoint Microsoft RCE Endpoint Security
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2020-6023 HIGH This Week

Check Point ZoneAlarm before version 15.8.139.18543 allows a local actor to escalate privileges while restoring files in Anti-Ransomware. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Checkpoint Privilege Escalation Zonealarm
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2020-6022 MEDIUM This Month

Check Point ZoneAlarm before version 15.8.139.18543 allows a local actor to delete arbitrary files while restoring files in Anti-Ransomware. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Checkpoint Information Disclosure Zonealarm
NVD
CVSS 3.1
5.5
EPSS
0.3%
CVE-2020-6020 MEDIUM This Month

Check Point Security Management's Internal CA web management before Jumbo HFAs R80.10 Take 278, R80.20 Take 160, R80.30 Take 210, and R80.40 Take 38, can be manipulated to run commands as a high. Rated medium severity (CVSS 6.4), this vulnerability is low attack complexity. No vendor patch available.

Checkpoint Denial Of Service Ica Management Portal
NVD
CVSS 3.1
6.4
EPSS
0.5%
CVE-2019-8463 HIGH PATCH This Week

A denial of service vulnerability was reported in Check Point Endpoint Security Client for Windows before E82.10, that could allow service log file to be written to non-standard locations. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Microsoft Checkpoint Endpoint Security Clients
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2019-8462 HIGH This Week

In a rare scenario, Check Point R80.30 Security Gateway before JHF Take 50 managed by Check Point R80.30 Management crashes with a unique configuration of enhanced logging. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Checkpoint Security Gateway
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2019-8461 HIGH POC PATCH This Week

Check Point Endpoint Security Initial Client for Windows before version E81.30 tries to load a DLL placed in any PATH location on a clean image without Endpoint Client installed. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Microsoft Information Disclosure Checkpoint Capsule Docs Standalone Client Endpoint Security +1
NVD
CVSS 3.0
7.8
EPSS
1.1%
CVE-2019-8459 CRITICAL Act Now

Check Point Endpoint Security Client for Windows, with the VPN blade, before version E80.83, starts a process without using quotes in the path. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Information Disclosure Checkpoint Jumbo Hotfix For Endpoint Security Server Endpoint Security Server Package +4
NVD
CVSS 3.0
9.8
EPSS
1.2%
CVE-2019-8458 MEDIUM This Month

Check Point Endpoint Security Client for Windows, with Anti-Malware blade installed, before version E81.00, tries to load a non-existent DLL during an update initiated by the UI. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. No vendor patch available.

RCE Microsoft Checkpoint Endpoint Security Clients Remote Access Clients +1
NVD
CVSS 3.1
4.4
EPSS
1.0%
CVE-2019-8454 HIGH This Week

A local attacker can create a hard-link between a file to which the Check Point Endpoint Security client for Windows before E80.96 writes and another BAT file, then by impersonating the WPAD server,. Rated high severity (CVSS 7.0). No vendor patch available.

Microsoft Information Disclosure Checkpoint Endpoint Security
NVD
CVSS 3.1
7.0
EPSS
0.3%
CVE-2019-8452 HIGH POC This Week

A hard-link created from log file archive of Check Point ZoneAlarm up to 15.4.062 or Check Point Endpoint Security client for Windows before E80.96 to any file on the system will get its permission. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Microsoft Information Disclosure Checkpoint Endpoint Security Zonealarm
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
1.0%
CVE-2019-8455 HIGH This Week

A hard-link created from the log file of Check Point ZoneAlarm up to 15.4.062 to any file on the system will get its permission changed so that all users can access that linked file. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Checkpoint Zonealarm
NVD
CVSS 3.1
7.1
EPSS
0.4%
CVE-2019-8453 MEDIUM This Month

Some of the DLLs loaded by Check Point ZoneAlarm up to 15.4.062 are taken from directories where all users have write permissions. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service Checkpoint Zonealarm
NVD
CVSS 3.0
5.5
EPSS
0.3%
CVE-2019-8456 MEDIUM This Month

Check Point IKEv2 IPsec VPN up to R80.30, in some less common conditions, may allow an attacker with knowledge of the internal configuration and setup to successfully connect to a site-to-site VPN. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Checkpoint Ipsec Vpn
NVD
CVSS 3.1
5.9
EPSS
20.4%
CVE-2017-1000083 HIGH POC PATCH THREAT Act Now

backend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to execute arbitrary commands via a .cbt file that is a TAR archive containing a. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 76.7%.

Information Disclosure Checkpoint Evince Debian Linux Enterprise Linux Desktop +5
NVD GitHub Exploit-DB
CVSS 3.0
7.8
EPSS
76.7%
Threat
5.4
CVE-2014-8952 HIGH This Week

Multiple unspecified vulnerabilities in Check Point Security Gateway R75.40VS, R75.45, R75.46, R75.47, R76, R77, and R77.10, when the (1) IPS blade, (2) IPsec Remote Access, (3) Mobile Access / SSL. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

Checkpoint Denial Of Service Security Gateway
NVD
CVSS 2.0
7.1
EPSS
0.7%
CVE-2014-8951 HIGH This Week

Unspecified vulnerability in Check Point Security Gateway R75, R76, R77, and R77.10, when UserCheck is enabled and the (1) Application Control, (2) URL Filtering, (3) DLP, (4) Threat Emulation, (5). Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

Checkpoint Denial Of Service Security Gateway
NVD
CVSS 2.0
7.1
EPSS
0.7%
CVE-2014-8950 HIGH This Week

Unspecified vulnerability in Check Point Security Gateway R77 and R77.10, when the (1) URL Filtering or (2) Identity Awareness blade is used, allows remote attackers to cause a denial of service. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

Checkpoint Denial Of Service Security Gateway
NVD
CVSS 2.0
7.1
EPSS
0.7%
CVE-2013-7350 CRITICAL Act Now

Multiple unspecified vulnerabilities in Check Point Security Gateway 80 R71.x before R71.45 (730159141) and R75.20.x before R75.20.4 and 600 and 1100 appliances R75.20.x before R75.20.42 have unknown. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Checkpoint Information Disclosure Security Gateway
NVD VulDB
CVSS 2.0
10.0
EPSS
0.3%
CVSS 8.4
HIGH POC PATCH This Week

Remote code execution in PyTorch Lightning through 2.6.5 allows an attacker who can get a victim to load a malicious checkpoint file to execute arbitrary code. The flaw lives in the _load_state routine, which imports and calls the module path named in a checkpoint's _instantiator hyperparameter, letting a crafted .ckpt bypass torch's weights_only=True safeguard when LightningModule.load_from_checkpoint is invoked. Reported by VulnCheck, it is fixed in commit d710d68 (PR #21832) via an instantiator allowlist, and publicly available exploit code exists though it is not listed in CISA KEV.

Checkpoint RCE Pytorch Lightning
NVD GitHub
EPSS 0% CVSS 1.9
LOW POC PATCH Monitor

Unsafe deserialization in HashNeRF-pytorch's Checkpoint File Handler allows a local low-privileged attacker to achieve arbitrary code execution by supplying a malicious file via the `ckpt_path` argument to `torch.load()` in `run_nerf.py`. All commits up to 82885e698295982504eb6a26d060a6b2473e3706 are affected; a fix exists as an unmerged pull request (PR #50). A public exploit has been disclosed via GitHub issue #49, though no CISA KEV listing has been identified, indicating no confirmed widespread active exploitation at time of analysis.

Deserialization Checkpoint Hashnerf Pytorch
NVD VulDB GitHub
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Kernel denial-of-service in Zephyr RTOS v4.4.0's Dhara flash translation layer driver crashes the system during FTL disk initialization when a flash error coincides with the journal-resume checkpoint scan. The driver's dhara_nand_read/erase/prog/copy callbacks unconditionally dereference the caller-supplied err pointer, but the upstream Dhara library legitimately passes NULL during its binary search in find_last_checkblock(), triggering a NULL write and kernel fault. No public exploit code has been identified and this CVE is absent from the CISA KEV catalog; exploitation is gated on specific flash media conditions (uncorrectable ECC, bad block, or induced fault) occurring on a checkpoint page at mount time, constraining real-world risk to physical or supply-chain threat models.

Denial Of Service Checkpoint Null Pointer Dereference +1
NVD GitHub
CVSS 5.9
MEDIUM PATCH This Month

Process abort in zebrad (Zcash Foundation's Rust node) up to v4.4.1 allows a malicious block producer to crash targeted nodes by submitting a child block that repeats a shielded V5 transaction from its non-finalized parent. The ordering bug in `Chain::push` causes an `assert_eq!` uniqueness check on `tx_loc_by_hash` to fire before the duplicate shielded-nullifier guard can cleanly reject the block; under Zebra's `panic = "abort"` release profile, this terminates the entire node process rather than returning a validation error. No public exploit or CISA KEV listing has been identified, but the vendor describes two concrete attack models requiring only modest mining hashrate, making targeted denial-of-service achievable in practice.

Denial Of Service Checkpoint
NVD GitHub
HIGH PATCH This Week

Remote denial-of-service in Zebra (zebrad ≤ v4.4.1), the Zcash Foundation's Rust node, lets an unauthenticated P2P peer permanently stall a targeted node at a chosen block height. By exploiting ZIP-244 transaction malleability, an attacker crafts a poisoned block body sharing the same header hash as a valid canonical block; Zebra caches the hash before validation and never evicts it on failure, so the legitimate block is later rejected as a duplicate. This is a real availability threat against default configurations, though there is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw was independently reproduced end-to-end by two researchers.

Information Disclosure Canonical Checkpoint
NVD GitHub
EPSS 0% CVSS 1.3
LOW POC PATCH Monitor

Workflow checkpoint endpoints in ComfyUI-Copilot up to 2.0.28 expose an insecure direct object reference (IDOR) flaw - the restore_workflow_checkpoint and update_workflow_ui handlers in conversation_api.py accept externally supplied version identifiers without verifying that the referenced checkpoint belongs to the requesting session, enabling an authenticated remote attacker to read workflow data owned by other sessions. The CVSS 4.0 score of 2.3 reflects limited confidentiality-only impact and high attack complexity (AC:H) due to the need to enumerate valid cross-session identifiers. A proof-of-concept is publicly available at GitHub issue #149; the upstream fix (PR #150) is pending acceptance and no patched release version has been confirmed.

Information Disclosure Checkpoint Comfyui Copilot
NVD VulDB GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local information disclosure and memory corruption in the Linux kernel's AMD KFD (amdkfd) driver affects GFX11/Navi3x GPUs, where the v11 MQD manager wrongly used CP-compute checkpoint/restore handlers for SDMA queues. During a CRIU checkpoint or restore of an SDMA queue, the driver treats a 512-byte v11_sdma_mqd buffer as a 2048-byte v11_compute_mqd, so it either leaks 1536 bytes of adjacent GTT memory to userspace or overwrites 1536 bytes of neighboring GTT memory (ring buffers or adjacent MQDs). Exploitation requires local access with the ability to drive CRIU checkpoint/restore of a GPU compute process; there is no public exploit identified at time of analysis and EPSS is low (0.18%).

Linux Buffer Overflow Checkpoint
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Data loss in the Linux kernel's f2fs (Flash-Friendly File System) driver exposes files created and synced before any checkpoint has been written to permanent loss on sudden power off. The race condition between fsync on newly created files and concurrent checkpoint operations causes f2fs_need_inode_block_update() to misread prematurely set nat_entry flags (IS_CHECKPOINTED and HAS_LAST_FSYNC), leading fsync to skip the inode block flush it actually requires. No public exploit identified at time of analysis; the EPSS score of 0.16% at the 6th percentile reflects the narrow triggering conditions and local-only attack surface.

Checkpoint Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation and information disclosure in the Linux kernel's SysV IPC subsystem stems from an unbounded ID allocation in ipc_idr_alloc() along the checkpoint/restore (CRIU) path, where a user-supplied next_id can spill past the valid ipc_mni range. Because removal truncates the index via ipcid_to_idx(), a high-index object can be freed while its real IDR slot dangles, so a subsequent /proc/sysvipc/shm walk dereferences freed memory - a use-after-free. No public exploit identified at time of analysis; EPSS is low at 0.17% (6th percentile) and the issue is not on CISA KEV.

Linux Information Disclosure Checkpoint
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Arbitrary code execution in Stanford NLP's Stanza 1.12.0 (and ≤1.12.1) occurs when the library loads a malicious PyTorch checkpoint, because its pretrain loader silently falls back from torch.load(weights_only=True) to weights_only=False whenever an UnpicklingError is raised - a condition the attacker fully controls by embedding one unsupported pickle global. Publicly available exploit code exists (working PoC in the GHSA advisory), and any developer, CI pipeline, or production NLP service that downloads Stanza model files from HuggingFace, GitHub, or a shared cache can be compromised. Fixed in Stanza 1.12.2.

Checkpoint Deserialization Python +1
NVD GitHub VulDB
EPSS 0% CVSS 5.6
MEDIUM PATCH This Month

Checkpoint image poisoning in containerd's CRI implementation allows an attacker with pod-creation permissions to corrupt the node-local image cache, causing victim pods to silently execute malicious images in place of legitimate ones. The root cause is missing validation of image references embedded in checkpoint image configurations: containerd trusts attacker-controlled strings in the checkpoint archive to drive image pulls and local tag assignment. Subsequent pods using an IfNotPresent or Never pull policy then inherit the poisoned tag and execute arbitrary code under the victim pod's Kubernetes identity. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis; vendor-released patches are available.

RCE Checkpoint Containerd
NVD VulDB GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Arbitrary host file disclosure in containerd's CRI plugin lets an attacker read any file on the Kubernetes node via `kubectl logs` because the plugin restores `container.log` from a checkpoint image while blindly following a symlinked path. All containerd 2.x branches before 2.1.9, 2.2.5, and 2.3.2 are affected wherever container checkpoint/restore (CRIU-based) is used. There is no public exploit identified at time of analysis and it is not on CISA KEV, but the flaw was independently reported by numerous researchers and a vendor patch is available.

Checkpoint Information Disclosure Containerd
NVD VulDB GitHub
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Kubernetes device-plugin and resource-allocation enforcement can be bypassed in containerd by a namespace user holding pod-creation rights, who restores a container from a maliciously crafted checkpoint image. The CRI restore path trusts Container Device Interface (CDI) annotations embedded in untrusted checkpoint metadata instead of the pod's create-time spec, letting the attacker smuggle arbitrary CDI edits (host device nodes and mounts) into the restored container. It affects containerd v2.1.0-2.1.8, v2.2.0-2.2.4 and v2.3.0-2.3.1; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Kubernetes Checkpoint Information Disclosure +1
NVD VulDB GitHub
EPSS 0% CVSS 7.8
HIGH This Week

Heap-based buffer overflow in stable-diffusion.cpp's pickle .ckpt parser allows attackers to corrupt memory and likely achieve code execution when a victim loads a maliciously crafted checkpoint file. The flaw stems from sign confusion in the BINUNICODE opcode length field, causing memcpy to be called with an attacker-controlled, effectively gigantic size derived from a negative signed integer. No public exploit identified at time of analysis, and the issue is fixed in master-584-0a7ae07.

Checkpoint Heap Overflow Buffer Overflow +1
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

Heap buffer overflow in the leejet stable-diffusion.cpp pickle .ckpt parser allows arbitrary code execution when a user or host application loads a maliciously crafted checkpoint file. The flaw resides in the GLOBAL opcode handler within src/model.cpp, where missing newline validation lets a -1 length value drive a heap memory copy, corrupting the heap of the diffusion inference process. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the attack surface (community model-sharing sites) makes weaponization plausible.

Checkpoint Memory Corruption Buffer Overflow +1
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Unsafe deserialization in LangGraph SQLite Checkpoint's JsonPlusSerializer (versions 4.1.0 and prior) allows arbitrary Python object reconstruction from checkpoint payloads stored in a SQLite backing store, enabling code execution at checkpoint load time. Affected deployments are those where an unauthorized party can modify checkpoint bytes at rest - a high-privilege prerequisite (PR:H, AV:A per CVSS) that already implies a significant prior compromise. This is explicitly framed as a defense-in-depth concern: the issue escalates an existing 'checkpoint-store write access' incident into full application runtime code execution. No public exploit code or CISA KEV listing has been identified at time of analysis.

Checkpoint Deserialization Python +4
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

Heap buffer overflow in stable-diffusion.cpp versions prior to master-584-0a7ae07 allows attackers to corrupt memory and potentially achieve code execution when a victim loads a malicious PyTorch .ckpt checkpoint file. The flaw resides in the SHORT_BINUNICODE opcode handler of the pickle parser in src/model.cpp, where a signed length field is mishandled and passed to memcpy. No public exploit identified at time of analysis, but the upstream fix is committed and the attack surface (untrusted model files from sharing sites) is realistic for AI/ML workloads.

Checkpoint RCE Memory Corruption +2
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

Out-of-bounds reads in stable-diffusion.cpp's PyTorch pickle checkpoint parser (versions prior to master-584-0a7ae07) allow a crafted or truncated .ckpt file to crash the loading application or leak process memory contents. The pickle opcode handlers in src/model.cpp advanced the buffer pointer without verifying remaining bytes before each read, meaning any application using this library to load untrusted .ckpt model files is exposed to denial-of-service and potential memory disclosure. No public exploit has been identified at time of analysis, though LibFuzzer triggered crashing inputs in under one second, indicating an extremely low barrier for generating working crash payloads.

Checkpoint Information Disclosure Buffer Overflow +1
NVD GitHub
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

{"$gt": ""}`) to be interpreted as query logic rather than literal values. No public exploit is independently catalogued (KEV not listed), but a proof-of-concept TypeScript payload is included in the vendor advisory, and EPSS sits at 0.03% (8th percentile), indicating low observed exploitation activity at time of analysis.

Checkpoint Nosql Injection Authentication Bypass
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Check Point Identity Agent Full for Windows allows an authenticated local user to execute arbitrary code with SYSTEM privileges through improper executable resolution during the log collection process. The flaw is a classic CWE-427 uncontrolled search path issue, and no public exploit has been identified at time of analysis. Exploitation is constrained to attackers who already have a foothold on the endpoint but provides a reliable path to full SYSTEM compromise.

Checkpoint Privilege Escalation Microsoft +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Incomplete macro-block state synchronization in Nimiq core-rs-albatross LightBlockchain allows a network-accessible attacker to permanently stall a light client's chain progression by triggering a rebranch to a fork whose tip is a macro (checkpoint or election) block. Affected are all deployments of the Rust Albatross light client prior to v1.4.0. When exploitation targets an election block specifically, the stale current_validators pointer causes every subsequent push() call to fail verify_validators(), rendering the light client unable to advance its chain. No public exploit identified at time of analysis, though the exact fix is visible in merged PR #3706 and the triggering conditions are fully described in the advisory.

Information Disclosure Checkpoint
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

Arbitrary code execution in ESA AnomalyMatch before 1.3.1 allows local attackers with low privileges to run code under the application's process by planting a malicious PyTorch checkpoint into a session directory, which is loaded via torch.load() with weights_only=False. No public exploit is identified at time of analysis, but the upstream fix (PR #9) and a third-party advisory (imlabs.info) confirm the unsafe-deserialization root cause and the migration to safetensors.

Checkpoint RCE Deserialization +1
NVD GitHub
EPSS 0% CVSS 4.1
MEDIUM This Month

Cross-domain RBAC bypass in Check Point Quantum Security Management allows an authenticated administrator with read-write access to one Management Domain (CMA) to modify Compliance Best Practices metadata stored in a separate Management Domain where they hold no permissions. The underlying root cause is SQL injection (CWE-89, corroborated by the 'SQLi' intelligence tag), suggesting the Compliance feature's metadata storage does not enforce domain-level query isolation. Affected releases span R81.10 and below, R81.20 up to Jumbo Hotfix Take 127, R82 up to Jumbo Hotfix Take 91, and R82.10 up to Jumbo Hotfix Take 19. No public exploit identified at time of analysis, and EPSS of 0.04% reflects low observed exploitation probability.

Checkpoint SQLi Quantum Security Management
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Heap-based buffer overflow in Check Point Quantum Security Gateway's HTTP-based service allows unauthenticated remote attackers to cause availability disruption by sending crafted malformed HTTP requests requiring no authentication or user interaction. Affected deployments span all R81.10 releases and below, R81.20 through Jumbo Hotfix Take 127, R82 through Jumbo Hotfix Take 91, and R82.10 through Jumbo Hotfix Take 19. No public exploit identified at time of analysis, though SSVC classifies the attack as automatable with total technical impact - a meaningful tension with the CVSS A:L rating that security teams should scrutinize before deprioritizing.

Heap Overflow Checkpoint Buffer Overflow +1
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Arbitrary code execution occurs in PyTorch Lightning 2.6.0 and earlier when loading malicious checkpoint files. The LightningModule.load_from_checkpoint() method deserializes untrusted Pickle data without security restrictions, allowing attackers to execute arbitrary Python code when victims open crafted .ckpt files. EPSS score of 0.06% (19th percentile) indicates low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis. Attack requires local access and user interaction (opening a malicious checkpoint), limiting remote attack scenarios to social engineering or supply chain compromise.

Checkpoint Python RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Arbitrary code execution via torch-checkpoint-shrink.py script in ml-engineering project allows remote attackers to execute malicious Python code by providing crafted PyTorch checkpoint files. The vulnerability stems from insecure deserialization where torch.load() processes .pt files without the weights_only=True safeguard, enabling pickle-based arbitrary object instantiation. Despite a critical CVSS 9.8 score, EPSS probability is low (0.06%, 19th percentile) and no public exploit or active exploitation is confirmed, suggesting limited real-world targeting to date. SSVC assessment indicates total technical impact with automatable exploitation potential, making this a priority for organizations using ml-engineering scripts in production environments.

Checkpoint Python RCE +2
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Arbitrary code execution in Snorkel machine learning library (≤v0.10.0) occurs when users load malicious model checkpoint files through the Trainer.load() method. The vulnerability stems from unsafe PyTorch deserialization that processes untrusted Pickle objects without the weights_only security parameter. Attackers can embed malicious Python code in model files distributed through repositories, shared datasets, or social engineering campaigns. Despite the 8.8 CVSS score indicating critical severity, EPSS scoring at 0.06% (19th percentile) suggests very low real-world exploitation probability, and no active exploitation or public proof-of-concept has been identified at time of analysis.

Checkpoint Python RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH This Week

The flash-attention training framework thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 (2025-13-04) contains an insecure deserialization vulnerability (CWE-502) in its checkpoint loading mechanism. The load_checkpoint() function in checkpoint.py and the checkpoint loading code in eval.py use torch.load() without enabling the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing a maliciously crafted checkpoint file. When a victim loads this checkpoint during model warmstarting or evaluation, arbitrary code is executed on the victim's system.

Checkpoint Deserialization Python +3
NVD GitHub
EPSS 0% CVSS 7.3
HIGH This Week

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its average_model.py model averaging tool. The script loads PyTorch checkpoint files (epoch_*.pt) for model averaging using torch.load() without enabling the weights_only=True security parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing malicious checkpoint files within a directory. When a victim uses the tool to average models from this directory, arbitrary code is executed on the victim's system.

Checkpoint Python RCE +2
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

{thread_id}/runs endpoints. Thread IDs leak through frontend URLs, server logs, and observability traces, eliminating need for enumeration. Vendor-released patch (v0.9.7) confirmed by GitHub advisory GHSA-m98r-6667-4wq7. No active exploitation or POC identified at time of analysis, though detailed reproducer exists in issue #336.

Authentication Bypass Checkpoint Python
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Kernel denial of service via crafted btrfs metadata allowing local attackers to trigger an unguarded BUG_ON() condition during relocation recovery at mount time. The vulnerability arises when a root item on disk contains a non-zero drop_progress with zero drop_level, an invalid state that should not exist but lacks validation on read. CVSS 5.5 reflects local attack vector and availability impact; EPSS 0.02% indicates minimal real-world exploitation likelihood.

Checkpoint Ubuntu Debian +4
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

This vulnerability is a race condition in the Linux kernel's F2FS file system that causes flag inconsistency between concurrent atomic commit and checkpoint write operations. The issue affects all Linux kernel versions with F2FS support (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), allowing information disclosure through incorrect inode state recovery after sudden power-off (SPO) scenarios. An attacker with local file system access during atomic write operations could trigger the race condition, leading to potential data inconsistency and information leakage when the system recovers.

Linux Information Disclosure Checkpoint +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

PyTorch is a Python package that provides tensor computation. [CVSS 8.8 HIGH]

Python Pytorch Checkpoint +2
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix f2fs_bug_on when uninstalling filesystem call f2fs_evict_inode. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Checkpoint Information Disclosure Linux +1
NVD
EPSS 0% CVSS 2.1
LOW PATCH Monitor

sigstore-java is a sigstore java client for interacting with sigstore infrastructure. Rated low severity (CVSS 2.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Checkpoint Java Denial Of Service
NVD GitHub
EPSS 1% CVSS 7.4
HIGH PATCH This Week

A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Checkpoint
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Check Point ZoneAlarm Extreme Security Link Following Local Privilege Escalation Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation RCE Checkpoint +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error In __jbd2_log_wait_for_space(), we might call. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Checkpoint Information Disclosure Linux +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: f2fs: get rid of online repaire on corrupted directory syzbot reports a f2fs bug as below: kernel BUG at fs/f2fs/inode.c:896!. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Checkpoint Information Disclosure Linux +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix state management in error path of log writing function After commit a694291a6211 ("nilfs2: separate wait function from. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Checkpoint Information Disclosure Linux +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix missing cleanup on rollforward recovery error In an error injection test of a routine for mount-time recovery, KASAN. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Use After Free Memory Corruption Code Injection +3
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode() syzbot reports a kernel bug as below: F2FS-fs (loop0): Mounted. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Google Buffer Overflow Information Disclosure +3
NVD
EPSS 0% CVSS 7.0
HIGH PATCH This Week

{reserve,release}_compress_blocks() w/ cp_rwsem lock It needs to cover. Rated high severity (CVSS 7.0). This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Checkpoint Linux +1
NVD
EPSS 100% CVSS 8.6
HIGH POC KEV PATCH THREAT This Week

Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Checkpoint Information Disclosure Quantum Spark Firmware +2
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: f2fs: compress: fix to guarantee persisting compressed blocks by CP If data block in compressed cluster is not persisted with. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Checkpoint Information Disclosure Linux +1
NVD
EPSS 0% CVSS 7.3
HIGH This Week

A local attacker can erscalate privileges on affected Check Point ZoneAlarm ExtremeSecurity NextGen, Identity Agent for Windows, and Identity Agent for Windows Terminal Server. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.

Checkpoint Information Disclosure Microsoft +2
NVD
EPSS 2% CVSS 9.6
CRITICAL POC PATCH Act Now

The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data within the `load_repo_checkpoint()` function of the `TFPreTrainedModel()`. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization RCE Checkpoint +1
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

Local attacker can escalate privileges on affected installations of Check Point Harmony Endpoint/ZoneAlarm Extreme Security. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Checkpoint Endpoint Security
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Deserialization of Untrusted Data, Improper Input Validation vulnerability in Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK.5.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Deserialization Java +3
NVD
EPSS 6% CVSS 7.8
HIGH This Week

Local privilege escalation in Check Point Endpoint Security Client (version E87.30) via crafted OpenSSL configuration file. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation OpenSSL Checkpoint +1
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

Check Point ZoneAlarm Extreme Security before 15.8.211.19229 allows local users to escalate privileges. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Checkpoint Privilege Escalation Zonealarm
NVD GitHub
EPSS 4% CVSS 2.3
LOW Monitor

Check Point Endpoint before version E86.50 failed to protect against specific registry change which allowed to disable endpoint protection by a local administrator. Rated low severity (CVSS 2.3), this vulnerability is low attack complexity. No vendor patch available.

Checkpoint Information Disclosure Endpoint Security +1
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Check Point Endpoint Security Client for Windows versions earlier than E86.40 copy files for forensics reports from a directory with low privileges. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Microsoft Checkpoint +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Check Point ZoneAlarm before version 15.8.200.19118 allows a local actor to escalate privileges during the upgrade process. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Checkpoint Zonealarm
NVD
EPSS 1% CVSS 7.5
HIGH This Week

A vulnerability in the checkpoint manager implementation of Cisco Redundancy Configuration Manager (RCM) for Cisco StarOS Software could allow an unauthenticated, remote attacker to cause the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Cisco Checkpoint +1
NVD
EPSS 1% CVSS 8.1
HIGH This Week

A denial of service vulnerability was reported in Check Point Identity Agent before R81.018.0000, which could allow low privileged users to overwrite protected system files. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Checkpoint Denial Of Service Identity Agent
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Check Point Endpoint Security Client for Windows before version E84.20 allows write access to the directory from which the installation repair takes place. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Checkpoint Microsoft Information Disclosure +1
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Check Point Endpoint Security for Windows before E84.10 can reach denial of service during clean install of the client which will prevent the storage of service log files in non-standard locations. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Checkpoint Denial Of Service Microsoft +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Check Point Endpoint Security Client for Windows, with Anti-Bot or Threat Emulation blades installed, before version E83.20, tries to load a non-existent DLL during a query for the Domain Name. Rated medium severity (CVSS 6.5), this vulnerability is low attack complexity. No vendor patch available.

Checkpoint Microsoft RCE +1
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Check Point ZoneAlarm before version 15.8.139.18543 allows a local actor to escalate privileges while restoring files in Anti-Ransomware. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Checkpoint Privilege Escalation Zonealarm
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Check Point ZoneAlarm before version 15.8.139.18543 allows a local actor to delete arbitrary files while restoring files in Anti-Ransomware. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Checkpoint Information Disclosure Zonealarm
NVD
EPSS 1% CVSS 6.4
MEDIUM This Month

Check Point Security Management's Internal CA web management before Jumbo HFAs R80.10 Take 278, R80.20 Take 160, R80.30 Take 210, and R80.40 Take 38, can be manipulated to run commands as a high. Rated medium severity (CVSS 6.4), this vulnerability is low attack complexity. No vendor patch available.

Checkpoint Denial Of Service Ica Management Portal
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

A denial of service vulnerability was reported in Check Point Endpoint Security Client for Windows before E82.10, that could allow service log file to be written to non-standard locations. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Microsoft Checkpoint +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

In a rare scenario, Check Point R80.30 Security Gateway before JHF Take 50 managed by Check Point R80.30 Management crashes with a unique configuration of enhanced logging. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Checkpoint Security Gateway
NVD
EPSS 1% CVSS 7.8
HIGH POC PATCH This Week

Check Point Endpoint Security Initial Client for Windows before version E81.30 tries to load a DLL placed in any PATH location on a clean image without Endpoint Client installed. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Microsoft Information Disclosure Checkpoint +3
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Check Point Endpoint Security Client for Windows, with the VPN blade, before version E80.83, starts a process without using quotes in the path. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Information Disclosure Checkpoint +6
NVD
EPSS 1% CVSS 4.4
MEDIUM This Month

Check Point Endpoint Security Client for Windows, with Anti-Malware blade installed, before version E81.00, tries to load a non-existent DLL during an update initiated by the UI. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. No vendor patch available.

RCE Microsoft Checkpoint +3
NVD
EPSS 0% CVSS 7.0
HIGH This Week

A local attacker can create a hard-link between a file to which the Check Point Endpoint Security client for Windows before E80.96 writes and another BAT file, then by impersonating the WPAD server,. Rated high severity (CVSS 7.0). No vendor patch available.

Microsoft Information Disclosure Checkpoint +1
NVD
EPSS 1% CVSS 7.8
HIGH POC This Week

A hard-link created from log file archive of Check Point ZoneAlarm up to 15.4.062 or Check Point Endpoint Security client for Windows before E80.96 to any file on the system will get its permission. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Microsoft Information Disclosure Checkpoint +2
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH This Week

A hard-link created from the log file of Check Point ZoneAlarm up to 15.4.062 to any file on the system will get its permission changed so that all users can access that linked file. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Checkpoint Zonealarm
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Some of the DLLs loaded by Check Point ZoneAlarm up to 15.4.062 are taken from directories where all users have write permissions. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service Checkpoint Zonealarm
NVD
EPSS 20% CVSS 5.9
MEDIUM This Month

Check Point IKEv2 IPsec VPN up to R80.30, in some less common conditions, may allow an attacker with knowledge of the internal configuration and setup to successfully connect to a site-to-site VPN. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Checkpoint Ipsec Vpn
NVD
EPSS 77% 5.4 CVSS 7.8
HIGH POC PATCH THREAT Act Now

backend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to execute arbitrary commands via a .cbt file that is a TAR archive containing a. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 76.7%.

Information Disclosure Checkpoint Evince +7
NVD GitHub Exploit-DB
EPSS 1% CVSS 7.1
HIGH This Week

Multiple unspecified vulnerabilities in Check Point Security Gateway R75.40VS, R75.45, R75.46, R75.47, R76, R77, and R77.10, when the (1) IPS blade, (2) IPsec Remote Access, (3) Mobile Access / SSL. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

Checkpoint Denial Of Service Security Gateway
NVD
EPSS 1% CVSS 7.1
HIGH This Week

Unspecified vulnerability in Check Point Security Gateway R75, R76, R77, and R77.10, when UserCheck is enabled and the (1) Application Control, (2) URL Filtering, (3) DLP, (4) Threat Emulation, (5). Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

Checkpoint Denial Of Service Security Gateway
NVD
EPSS 1% CVSS 7.1
HIGH This Week

Unspecified vulnerability in Check Point Security Gateway R77 and R77.10, when the (1) URL Filtering or (2) Identity Awareness blade is used, allows remote attackers to cause a denial of service. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

Checkpoint Denial Of Service Security Gateway
NVD
EPSS 0% CVSS 10.0
CRITICAL Act Now

Multiple unspecified vulnerabilities in Check Point Security Gateway 80 R71.x before R71.45 (730159141) and R75.20.x before R75.20.4 and 600 and 1100 appliances R75.20.x before R75.20.42 have unknown. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Checkpoint Information Disclosure Security Gateway
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy