Description
When SSL profiles are configured on a virtual server, undisclosed traffic can cause the virtual server to stop processing new client connections.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-05-13
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability causes a virtual server with SSL/TLS profiles to become unresponsive, halting new client connections when it encounters undisclosed traffic. This results in a denial of service that could affect all clients attempting to reach the affected service. The identified weakness is CWE-770, indicating an out‑of‑bounds condition that breaks service availability.

Affected Systems

Affected are F5 BIG‑IP, BIG‑IP Next CNF, BIG‑IP Next SPK, and BIG‑IP Next for Kubernetes. All software supporting configurable SSL profiles on a virtual server is at risk. Versions reaching End of Technical Support are not evaluated.

Risk and Exploitability

The CVSS score of 8.7 classifies this as a high‑severity issue. No EPSS score is available and the vulnerability is not listed in CISA KEV, indicating the exploitation likelihood is currently unknown. However, the nature of the attack—a return of an error caused by undisclosed traffic—suggests an adversary could craft specific SSL traffic to trigger the service halt. In the absence of publicly disclosed exploits, the risk remains theoretical, but the high score warrants prompt mitigation.

Generated by OpenCVE AI on May 13, 2026 at 16:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest F5 security update that addresses the SSL/TLS crash on BIG‑IP systems.
  • Verify that SSL profile configuration conforms to documented best practices and remove any custom or unsupported settings.
  • If a patch cannot be applied immediately, block or rate‑limit unexpected TLS traffic at the network perimeter to prevent the crash until remediation completes.

Generated by OpenCVE AI on May 13, 2026 at 16:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 big-ip
F5 big-ip Next Cnf
F5 big-ip Next For Kubernetes
F5 big-ip Next Spk
Vendors & Products F5
F5 big-ip
F5 big-ip Next Cnf
F5 big-ip Next For Kubernetes
F5 big-ip Next Spk

Wed, 13 May 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description When SSL profiles are configured on a virtual server, undisclosed traffic can cause the virtual server to stop processing new client connections.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title BIG-IP SSL/TLS vulnerability
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

F5 Big-ip Big-ip Next Cnf Big-ip Next For Kubernetes Big-ip Next Spk
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-05-13T16:14:24.119Z

Reserved: 2026-04-30T23:02:47.678Z

Link: CVE-2026-40629

cve-icon Vulnrichment

Updated: 2026-05-13T16:14:19.591Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T16:16:43.290

Modified: 2026-05-13T16:27:11.127

Link: CVE-2026-40629

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:34:29Z

Weaknesses