Description
When an SSL profile is configured on a virtual server on BIG-IP Virtual Edition (VE) without Intel QuickAssist Technology (QAT) or on BIG-IP hardware platforms with the database variable crypto.hwacceleration set to disabled, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate.  

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-05-13
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is caused by an incorrect calculation of buffer size, as identified by CWE-131. When an SSL profile is applied to a virtual server on BIG‑IP, and the system lacks Intel QuickAssist Technology (QAT) or the database variable crypto.hwacceleration is disabled, certain unhygienic traffic can force the Traffic Management Microkernel (TMM) to terminate. This results in a crash of the underlying microkernel, effectively disabling network services and causing a denial of service.

Affected Systems

The affected vendors and products are F5 BIG‑IP, F5 BIG‑IP Next CNF, F5 BIG‑IP Next SPK, and F5 BIG‑IP Next for Kubernetes. Exact affected versions are not enumerated in the advisory; however, any installation that reaches End of Technical Support is not considered. Systems configured without QAT or with crypto.hwacceleration disabled are at risk.

Risk and Exploitability

The CVSS score of 8.7 reflects a high severity. No EPSS score is reported, and the issue is not listed in CISA KEV. Attackers can exploit this vulnerability by sending specially crafted SSL traffic to a virtual server that has an SSL profile enabled and insufficient hardware acceleration. The attack requires network reachability to the virtual server and the presence of a vulnerable SSL configuration; it does not require elevated privileges.

Generated by OpenCVE AI on May 13, 2026 at 16:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the BIG‑IP software to the latest supported release that fixes the SSL profile handling issue.
  • If an upgrade is not possible, disable SSL profiles on virtual servers that do not use QAT or set the crypto.hwacceleration database variable to enabled so that hardware acceleration is used.
  • Monitor traffic for abnormal SSL handshakes and block or rate‑limit suspicious connections at the firewall or application layer.

Generated by OpenCVE AI on May 13, 2026 at 16:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 big-ip
F5 big-ip Next Cnf
F5 big-ip Next For Kubernetes
F5 big-ip Next Spk
Vendors & Products F5
F5 big-ip
F5 big-ip Next Cnf
F5 big-ip Next For Kubernetes
F5 big-ip Next Spk

Wed, 13 May 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description When an SSL profile is configured on a virtual server on BIG-IP Virtual Edition (VE) without Intel QuickAssist Technology (QAT) or on BIG-IP hardware platforms with the database variable crypto.hwacceleration set to disabled, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate.   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title BIG-IP SSL/TLS vulnerability
Weaknesses CWE-131
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L'}

Subscriptions

F5 Big-ip Big-ip Next Cnf Big-ip Next For Kubernetes Big-ip Next Spk
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-05-13T16:13:44.066Z

Reserved: 2026-04-30T23:02:47.694Z

Link: CVE-2026-40618

cve-icon Vulnrichment

Updated: 2026-05-13T16:13:39.516Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T16:16:43.097

Modified: 2026-05-13T16:27:11.127

Link: CVE-2026-40618

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:34:27Z

Weaknesses