This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Mattias_Jansson
Collaborator
Monday
Jump to solution

Check point vulnerable to CVE-2026-31431?

Hi.

Any guidence from Check Point regarding CVE-2026-31431 ?
https://access.redhat.com/security/cve/cve-2026-31431#cve-details-description


0 Kudos
1 Solution

Accepted Solutions
_Val_
Admin
Admin
17 hours ago
Jump to solution

The official response is ready and available in sk184928

Quoting from there:

Symptoms

  • On April 22, 2026, CERT published vulnerabilities in the Linux kernel. 
    This issue received the ID CVE-2026-31431
    It addresses an issue in the Linux kernel’s cryptographic interface (algif_aead).

Solution

Practical risk: Low.

The vulnerability requires non-root local code execution, which the Gaia OS standard role model does not expose, because administrative access goes through Expert mode (already root), and non-admin roles are restricted to Clish.

If you have created non-admin users with non-Clish shell access (treating them as effectively administrative), and this was not intentional, remove the shell access.
By default, only adminRole users have shell access; all other roles use Clish.

Note: R81.20 and earlier versions are not affected. 
 

 

View solution in original post

15 Replies
simonemantovani
MVP Silver
MVP Silver
Monday
Jump to solution

At the moment, there is no information about Check Point's vulnerability for the reported CVE ... ...https://support.checkpoint.com/security-advisories.

If I look on a R81.20 installation the affected module is not present; so at a first sight, this vulnerability doesn't affect Check Point product.

We wati for someone in Check Point to provide a better answer.

_Val_
Admin
Admin
Monday
Jump to solution

We are currently working on the official response. AFAIK, R81.20 and below are not affected.

If you need an immediate response relevant to your versions in use, please open a ticket with TAC.

Bob_Zimmerman
MVP Gold
MVP Gold
Monday
In response to _Val_
Jump to solution

R81.20 and earlier are definitely not impacted by CVE-2026-31431. The problem was introduced in Linux 4.14. R81.20 uses kernel 3.10.0-1160.

R82 is the first release to use a kernel version ≥4.14.

0 Kudos
Steffen_Appel
Advisor
Monday
Jump to solution

Quick check on a R82 test box: It seems to work there.

0 Kudos
_Val_
Admin
Admin
yesterday
In response to Steffen_Appel
Jump to solution

R82+ versions are affected. However, to execute the exploit, a user has to have access to the expert shell, meaning that the user is already privileged, which defeats the purpose. Non-privileged users either cannot access FW at all or don't have the expert shell. Users at the root level don't need to elevate their permissions; they already have the maximum permissions.

Steffen_Appel
Advisor
yesterday
In response to _Val_
Jump to solution

Yes, unless they find a way like 2 years ago...

0 Kudos
Duane_Toler
MVP Silver
MVP Silver
yesterday
In response to Steffen_Appel
Jump to solution

Even then, the exploit at the time was already able to run as root with full access.  However, a blended attack is always a risk.

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
simonemantovani
MVP Silver
MVP Silver
yesterday
In response to Duane_Toler
Jump to solution

Maybe yes, but in any case the risk is not so high/critical because at the moment the exposure can be mitigated by filter IP addresses that can access the affected gateways.

So from my point of view, it would be enough to wait the next JHF that probably could solve it.

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
Monday
Jump to solution

The issue is present in R82 and up, but there are plenty of other local privilege escalation vectors. This one is no worse than CVE-2021-3156 (sk171751), for example. R82.10 still ships sudo 1.8.19p2.

If you need something now, Red Hat's mitigation works on all versions which have the problem, including non-Red-Hat distributions. Just keep in mind it doesn't affect any of the other local privilege escalation bugs.

0 Kudos
SubZer0
Collaborator
Monday
Jump to solution

On R82 MGMT algif_aead is not in use. I dont have R82 gateway. I assume it could be used on the gateway for an IPsec VPN. I also assumed it might be used for MGMT for SIC, but it isn’t. Even if it is, the question is whether it’s possible to carry out an attack.

Screenshot 2026-05-04 215417.png

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
Monday
In response to SubZer0
Jump to solution

On RHEL (and Gaia is based on RHEL), it's not a module, it's built into the kernel. It's definitely present in R82 and R82.10.

Steffen_Appel
Advisor
Monday
In response to SubZer0
Jump to solution

As I wrote it works, but for the python version you need to be in a group (bin) which allows python to execute, but python is just an example, the bug is exploitanble in languages too.

SubZer0
Collaborator
Monday
Jump to solution

PoC script for CVE-2026-31431
https://github.com/AliHzSec/CVE-2026-31431/blob/master/main.py

My conclusion: Even if the FW is vulnerable, an attacker would first need to gain access to the FW… so this vulnerability doesn’t really help them, since they already have access 🙂

Steffen_Appel
Advisor
yesterday
In response to SubZer0
Jump to solution

Yes and no, remember the remote shell bug two years ago?

_Val_
Admin
Admin
17 hours ago
Jump to solution

The official response is ready and available in sk184928

Quoting from there:

Symptoms

  • On April 22, 2026, CERT published vulnerabilities in the Linux kernel. 
    This issue received the ID CVE-2026-31431
    It addresses an issue in the Linux kernel’s cryptographic interface (algif_aead).

Solution

Practical risk: Low.

The vulnerability requires non-root local code execution, which the Gaia OS standard role model does not expose, because administrative access goes through Expert mode (already root), and non-admin roles are restricted to Clish.

If you have created non-admin users with non-Clish shell access (treating them as effectively administrative), and this was not intentional, remove the shell access.
By default, only adminRole users have shell access; all other roles use Clish.

Note: R81.20 and earlier versions are not affected. 
 

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Thu 07 May 2026 @ 01:30 PM (AEST)

    CheckMates Live Sydney
    In-Person

    Thu 07 May 2026 @ 11:30 AM (CDT)

    Nashville: Humans & AI: A Real Conversation
    In-Person

    Tue 19 May 2026 @ 08:00 AM (EDT)

    Montreal: P’tits déj Cyber! | Cyber Breakfasts!
    In-Person

    Tue 02 Jun 2026 @ 09:00 AM (CEST)

    CheckMates Live Denmark - Aarhus
    In-Person

    Wed 03 Jun 2026 @ 09:00 AM (CEST)

    CheckMates Live Denmark - Copenhagen
    CheckMates Events