SB20260528251 - Multiple vulnerabilities in Check Point Gaia
Published: May 28, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 vulnerabilities.
1) Heap-based buffer overflow (CVE-ID: CVE-2026-48131)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a heap-based out-of-bounds write in VPND IKE fragment reassembly when processing an unexpected IKE fragment value with sequence number zero during the early stage of a connection attempt over UDP port 500. A remote attacker can send a specially crafted IKE packet to cause a denial of service.
Existing IPsec tunnels continue to function, and the affected VPN service is automatically restarted by the WatchDog service.
2) Input validation error (CVE-ID: CVE-2026-48132)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in IKE packet processing when handling specially crafted NAT-T traffic over 4500/UDP. A remote attacker can send a specially crafted packet to cause a denial of service.
The issue causes the VPN processing service to terminate unexpectedly, resulting in a temporary interruption of VPN negotiations and traffic.
3) Path traversal (CVE-ID: CVE-2026-48133)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper limitation of a pathname to a restricted directory in the Identity Awareness captive portal when handling browser-based authentication requests. A remote attacker can send a crafted request to disclose sensitive information.
Only systems with the Identity Awareness blade enabled with Browser-Based Authentication are vulnerable.
4) SQL injection (CVE-ID: CVE-2026-48134)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to manipulate stored DLP/UserCheck incident information and cause a denial of service.
The vulnerability exists due to SQL injection in the UserCheck Web Portal UserChoice flow when handling input on the UserCheck Ask page. A remote user can submit crafted input to manipulate stored DLP/UserCheck incident information and cause a denial of service.
Only systems with DLP active are vulnerable, and exploitation requires access to the UserCheck Ask page.
5) Heap-based buffer overflow (CVE-ID: CVE-2026-48135)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to cause a denial of service, inject HTTP headers, or execute arbitrary code.
The vulnerability exists due to heap-based buffer overflow in the HTTP request processing path when processing malformed HTTP requests. A remote attacker can send a specially crafted HTTP request to cause a denial of service, inject HTTP headers, or execute arbitrary code.
The issue affects HTTP-based services such as Mobile Access Portal and Identity Awareness Portals, except for Captive Portal.
6) Improper access control (CVE-ID: CVE-2026-48136)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to modify stored metadata associated with Compliance Best Practices in another management domain.
The vulnerability exists due to improper access control in the Compliance feature when handling cross-domain metadata access. A remote user can modify stored metadata in a management domain where they have no access permissions to modify stored metadata associated with Compliance Best Practices in another management domain.
Exploitation is possible only when Compliance is enabled on Check Point Multi-Domain Management.
Remediation
Install update from vendor's website.
References
- https://support.checkpoint.com/results/sk/sk184981
- https://support.checkpoint.com/results/sk/sk184982
- https://support.checkpoint.com/results/sk/sk184993
- https://support.checkpoint.com/results/sk/sk184983
- https://support.checkpoint.com/results/sk/sk184991
- https://support.checkpoint.com/results/sk/sk184992