F5 Big-Ip vulnerabilities

CVE-2026-41957 [HIGH] CWE-502 CVE-2026-41957: An authenticated remote code execution vulnerability through undisclosed vectors exists in the BIG-I An authenticated remote code execution vulnerability through undisclosed vectors exists in the BIG-IP and BIG-IQ Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2026-41953 [HIGH] CWE-77 CVE-2026-41953: A vulnerability exists in BIG-IP systems where a highly privileged, authenticated attacker with at l A vulnerability exists in BIG-IP systems where a highly privileged, authenticated attacker with at least the Resource Administrator role can modify configuration objects resulting in privilege escalation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2026-42919 [HIGH] CWE-121 CVE-2026-42919: A vulnerability exists in BIG-IP systems that may allow an authenticated attacker with administrativ A vulnerability exists in BIG-IP systems that may allow an authenticated attacker with administrative access to escalate their privileges. A successful exploit may allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2026-42937 [HIGH] CWE-732 CVE-2026-42937: Incorrect permission assignment vulnerabilities exist in BIG-IP and BIG-IQ TMOS Shell (tmsh) arp and Incorrect permission assignment vulnerabilities exist in BIG-IP and BIG-IQ TMOS Shell (tmsh) arp and ndp commands, and in BIG-IP iControl REST. These vulnerabilities may allow an authenticated attacker to view adjacent network information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2026-39455 [HIGH] CWE-772 CVE-2026-39455: When the BIG-IP Configuration utility is configured to use Lightweight Directory Access Protocol (LD When the BIG-IP Configuration utility is configured to use Lightweight Directory Access Protocol (LDAP) authentication, undisclosed traffic can cause the httpd process to exhaust the available file descriptors. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2026-40462 [HIGH] CWE-732 CVE-2026-40462: Incorrect permission assignment vulnerabilities exist in iControl REST and TMOS shell (tmsh) undiscl Incorrect permission assignment vulnerabilities exist in iControl REST and TMOS shell (tmsh) undisclosed command which may allow an authenticated attacker to view sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2026-32673 [HIGH] CWE-250 CVE-2026-32673: A vulnerability exists in BIG-IP scripted monitors that may allow an authenticated attacker with the A vulnerability exists in BIG-IP scripted monitors that may allow an authenticated attacker with the Resource Administrator or Administrator role to execute arbitrary system commands with higher privileges. In appliance mode deployments, a successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reache

CVE-2026-42930 [HIGH] CWE-35 CVE-2026-42930: When running in Appliance mode, an authenticated attacker assigned the 'Administrator' role may be a When running in Appliance mode, an authenticated attacker assigned the 'Administrator' role may be able to bypass Appliance mode restrictions on a BIG-IP system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2026-40631 [HIGH] CWE-552 CVE-2026-40631: An authenticated attacker with the Resource Administrator or Administrator role can modify configura An authenticated attacker with the Resource Administrator or Administrator role can modify configuration objects through iControl SOAP resulting in privilege escalation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2026-40423 [HIGH] CWE-770 CVE-2026-40423: When a SIP profile is configured on a virtual server, undisclosed traffic can cause the Traffic Mana When a SIP profile is configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2026-40618 [HIGH] CWE-131 CVE-2026-40618: When an SSL profile is configured on a virtual server on BIG-IP Virtual Edition (VE) without Intel Q When an SSL profile is configured on a virtual server on BIG-IP Virtual Edition (VE) without Intel QuickAssist Technology (QAT) or on BIG-IP hardware platforms with the database variable crypto.hwacceleration set to disabled, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reache

CVE-2026-42406 [HIGH] CWE-267 CVE-2026-42406: A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacke A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Certificate Manager role can modify configuration objects that allow running arbitrary commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2026-41217 [HIGH] CWE-732 CVE-2026-41217: A vulnerability exists in an undisclosed BIG-IP TMOS Shell (tmsh) command that may allow an authenti A vulnerability exists in an undisclosed BIG-IP TMOS Shell (tmsh) command that may allow an authenticated attacker with resource administrator or administrator role to execute arbitrary system commands with higher privileges. In Appliance mode deployments, a successful exploit can allow the attacker to cross a security boundary. Note: Software versio

CVE-2026-40629 [HIGH] CWE-770 CVE-2026-40629: When SSL profiles are configured on a virtual server, undisclosed traffic can cause the virtual serv When SSL profiles are configured on a virtual server, undisclosed traffic can cause the virtual server to stop processing new client connections. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2026-41219 [HIGH] CWE-532 CVE-2026-41219: An improper sanitization vulnerability exists in the BIG-IP QKView utility that allows a low-privile An improper sanitization vulnerability exists in the BIG-IP QKView utility that allows a low-privileged attacker to read sensitive information from a QKView file. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

CVE-2026-41956 [HIGH] CWE-121 CVE-2026-41956: When a classification profile is configured on a UDP virtual server, undisclosed requests can cause When a classification profile is configured on a UDP virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2026-42924 [HIGH] CWE-78 CVE-2026-42924: An authenticated attacker with the Resource Administrator or Administrator role can create SNMP conf An authenticated attacker with the Resource Administrator or Administrator role can create SNMP configuration objects through iControl SOAP resulting in privilege escalation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2026-42920 [HIGH] CWE-835 CVE-2026-42920: When a Client SSL profile is configured with Allow Dynamic Record Sizing on a UDP virtual server, un When a Client SSL profile is configured with Allow Dynamic Record Sizing on a UDP virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2026-39458 [HIGH] CWE-824 CVE-2026-39458: When a BIG-IP DNS profile enabled with DNS cache is configured on a virtual server, undisclosed traf When a BIG-IP DNS profile enabled with DNS cache is configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE-2026-32643 [HIGH] CWE-250 CVE-2026-32643: A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacke A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Certificate Manager role can modify configuration objects that allow running arbitrary commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.