Checkpoint Security Gateway IKE NAT-T Length Validation Crash (DoS)
CVE-2026-48132 Published on May 26, 2026
VPN service may restart unexpectedly when processing IKE traffic over NAT-T 4500/UDP
The Security Gateway does not correctly validate a length value in certain IKE packets when NAT-T is used (4500/UDP). As a result, a specially crafted or malformed packet can cause the VPN processing service to terminate unexpectedly, leading to denial of service (temporary interruption of VPN negotiations/traffic).
Vulnerability Analysis
CVE-2026-48132 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
Out-of-bounds Read
The software reads data past the end, or before the beginning, of the intended buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash. A crash can occur when the code reads a variable amount of data and assumes that a sentinel exists to stop the read operation, such as a NUL in a string. The expected sentinel might not be located in the out-of-bounds memory, causing excessive data to be read, leading to a segmentation fault or a buffer overflow. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent read operation then produces undefined or unexpected results.
Products Associated with CVE-2026-48132
Want to know whenever a new CVE is published for Check Point Software Security Gateway? stack.watch will email you.
Affected Versions
checkpoint Quantum Security Gateway:- Version R82.10 with Jumbo Hotfix Take 6 or below is affected.
- Version R82 with Jumbo Hotfix Take 91 or below is affected.
- Version R81.20 with Jumbo Hotfix Take 127 or below is affected.
- Version All releases from R81.10 and below is affected.