topic Re: Check point vulnerable to CVE-2026-31431? in Firewall and Security Management

Check point vulnerable to CVE-2026-31431?

Mattias_Jansson — Mon, 04 May 2026 12:46:46 GMT

Hi.

Any guidence from Check Point regarding CVE-2026-31431 ?
https://access.redhat.com/security/cve/cve-2026-31431#cve-details-description

Re: Check point vulnerable to CVE-2026-31431?

simonemantovani — Mon, 04 May 2026 13:01:11 GMT

At the moment, there is no information about Check Point's vulnerability for the reported CVE ... ...https://support.checkpoint.com/security-advisories.

If I look on a R81.20 installation the affected module is not present; so at a first sight, this vulnerability doesn't affect Check Point product.

We wati for someone in Check Point to provide a better answer.

Re: Check point vulnerable to CVE-2026-31431?

_Val_ — Mon, 04 May 2026 13:18:49 GMT

We are currently working on the official response. AFAIK, R81.20 and below are not affected.

If you need an immediate response relevant to your versions in use, please open a ticket with TAC.

Re: Check point vulnerable to CVE-2026-31431?

Steffen_Appel — Mon, 04 May 2026 13:54:45 GMT

Quick check on a R82 test box: It seems to work there.

Re: Check point vulnerable to CVE-2026-31431?

Bob_Zimmerman — Mon, 04 May 2026 18:21:01 GMT

The issue is present in R82 and up, but there are plenty of other local privilege escalation vectors. This one is no worse than CVE-2021-3156 (sk171751), for example. R82.10 still ships sudo 1.8.19p2.

If you need something now, Red Hat's mitigation works on all versions which have the problem, including non-Red-Hat distributions. Just keep in mind it doesn't affect any of the other local privilege escalation bugs.

Re: Check point vulnerable to CVE-2026-31431?

Bob_Zimmerman — Mon, 04 May 2026 18:27:21 GMT

R81.20 and earlier are definitely not impacted by CVE-2026-31431. The problem was introduced in Linux 4.14. R81.20 uses kernel 3.10.0-1160.

R82 is the first release to use a kernel version ≥4.14.

Re: Check point vulnerable to CVE-2026-31431?

SubZer0 — Mon, 04 May 2026 19:57:06 GMT

On R82 MGMT algif_aead is not in use. I dont have R82 gateway. I assume it could be used on the gateway for an IPsec VPN. I also assumed it might be used for MGMT for SIC, but it isn’t. Even if it is, the question is whether it’s possible to carry out an attack.

Re: Check point vulnerable to CVE-2026-31431?

SubZer0 — Mon, 04 May 2026 20:24:33 GMT

PoC script for CVE-2026-31431
https://github.com/AliHzSec/CVE-2026-31431/blob/master/main.py

My conclusion: Even if the FW is vulnerable, an attacker would first need to gain access to the FW… so this vulnerability doesn’t really help them, since they already have access 🙂

Re: Check point vulnerable to CVE-2026-31431?

Bob_Zimmerman — Mon, 04 May 2026 20:28:58 GMT

On RHEL (and Gaia is based on RHEL), it's not a module, it's built into the kernel. It's definitely present in R82 and R82.10.

Re: Check point vulnerable to CVE-2026-31431?

Steffen_Appel — Tue, 05 May 2026 06:22:31 GMT

As I wrote it works, but for the python version you need to be in a group (bin) which allows python to execute, but python is just an example, the bug is exploitanble in languages too.

Re: Check point vulnerable to CVE-2026-31431?

Steffen_Appel — Tue, 05 May 2026 07:42:00 GMT

Yes and no, remember the remote shell bug two years ago?

Re: Check point vulnerable to CVE-2026-31431?

_Val_ — Tue, 05 May 2026 09:55:40 GMT

R82+ versions are affected. However, to execute the exploit, a user has to have access to the expert shell, meaning that the user is already privileged, which defeats the purpose. Non-privileged users either cannot access FW at all or don't have the expert shell. Users at the root level don't need to elevate their permissions; they already have the maximum permissions.

Re: Check point vulnerable to CVE-2026-31431?

Steffen_Appel — Tue, 05 May 2026 13:05:08 GMT

Yes, unless they find a way like 2 years ago...

Re: Check point vulnerable to CVE-2026-31431?

Duane_Toler — Tue, 05 May 2026 13:57:11 GMT

Even then, the exploit at the time was already able to run as root with full access. However, a blended attack is always a risk.

Re: Check point vulnerable to CVE-2026-31431?

simonemantovani — Tue, 05 May 2026 14:00:44 GMT

Maybe yes, but in any case the risk is not so high/critical because at the moment the exposure can be mitigated by filter IP addresses that can access the affected gateways.

So from my point of view, it would be enough to wait the next JHF that probably could solve it.

Re: Check point vulnerable to CVE-2026-31431?

_Val_ — Wed, 06 May 2026 07:08:58 GMT

The official response is ready and available in sk184928

Quoting from there:

Symptoms

On April 22, 2026, CERT published vulnerabilities in the Linux kernel.
This issue received the ID CVE-2026-31431.
It addresses an issue in the Linux kernel’s cryptographic interface (algif_aead).

Solution

Practical risk: Low.

The vulnerability requires non-root local code execution, which the Gaia OS standard role model does not expose, because administrative access goes through Expert mode (already root), and non-admin roles are restricted to Clish.

If you have created non-admin users with non-Clish shell access (treating them as effectively administrative), and this was not intentional, remove the shell access.
By default, only adminRole users have shell access; all other roles use Clish.

Note: R81.20 and earlier versions are not affected.

Re: Check point vulnerable to CVE-2026-31431?

Bob_Zimmerman — Thu, 07 May 2026 21:05:38 GMT

There are now two more known, trivial local privilege escalation vulnerabilities which don't even have CVE numbers yet. It sounds like the mitigation for CVE-2026-31431 does not mitigate the two new ones.

https://github.com/V4bel/dirtyfrag/blob/master/assets/write-up.md